{"id":15643564,"url":"https://github.com/crazy-max/ghaction-container-scan","last_synced_at":"2025-04-06T06:08:49.285Z","repository":{"id":37827495,"uuid":"414171338","full_name":"crazy-max/ghaction-container-scan","owner":"crazy-max","description":"GitHub Action to check for vulnerabilities in your container image","archived":false,"fork":false,"pushed_at":"2024-10-10T12:04:37.000Z","size":4753,"stargazers_count":59,"open_issues_count":12,"forks_count":17,"subscribers_count":7,"default_branch":"master","last_synced_at":"2024-10-18T07:31:10.265Z","etag":null,"topics":["docker","github-actions","sarif-report","security-tools","trivy","vulnerability-scanners"],"latest_commit_sha":null,"homepage":"https://github.com/marketplace/actions/container-scan","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/crazy-max.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":".github/SUPPORT.md","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"crazy-max","custom":"https://www.paypal.me/crazyws"}},"created_at":"2021-10-06T10:44:30.000Z","updated_at":"2024-10-06T06:59:53.000Z","dependencies_parsed_at":"2023-11-24T13:27:52.050Z","dependency_job_id":"2bef4331-b8c7-4b27-b5a7-19009bbd83f5","html_url":"https://github.com/crazy-max/ghaction-container-scan","commit_stats":{"total_commits":154,"total_committers":4,"mean_commits":38.5,"dds":0.3571428571428571,"last_synced_commit":"f17494a3e47d86fb17c2c1f89b25049492a82d1d"},"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crazy-max%2Fghaction-container-scan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crazy-max%2Fghaction-container-scan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crazy-max%2Fghaction-container-scan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/crazy-max%2Fghaction-container-scan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/crazy-max","download_url":"https://codeload.github.com/crazy-max/ghaction-container-scan/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247441052,"owners_count":20939239,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","github-actions","sarif-report","security-tools","trivy","vulnerability-scanners"],"created_at":"2024-10-03T12:00:34.366Z","updated_at":"2025-04-06T06:08:49.263Z","avatar_url":"https://github.com/crazy-max.png","language":"TypeScript","funding_links":["https://github.com/sponsors/crazy-max","https://www.paypal.me/crazyws"],"categories":[],"sub_categories":[],"readme":"[![GitHub release](https://img.shields.io/github/release/crazy-max/ghaction-container-scan.svg?style=flat-square)](https://github.com/crazy-max/ghaction-container-scan/releases/latest)\n[![GitHub marketplace](https://img.shields.io/badge/marketplace-container--scan-blue?logo=github\u0026style=flat-square)](https://github.com/marketplace/actions/container-scan)\n[![Test workflow](https://img.shields.io/github/actions/workflow/status/crazy-max/ghaction-container-scan/test.yml?branch=master\u0026label=test\u0026logo=github\u0026style=flat-square)](https://github.com/crazy-max/ghaction-container-scan/actions?workflow=test)\n[![Codecov](https://img.shields.io/codecov/c/github/crazy-max/ghaction-container-scan?logo=codecov\u0026style=flat-square)](https://codecov.io/gh/crazy-max/ghaction-container-scan)\n[![Become a sponsor](https://img.shields.io/badge/sponsor-crazy--max-181717.svg?logo=github\u0026style=flat-square)](https://github.com/sponsors/crazy-max)\n[![Paypal Donate](https://img.shields.io/badge/donate-paypal-00457c.svg?logo=paypal\u0026style=flat-square)](https://www.paypal.me/crazyws)\n\n## About\n\nGitHub Action to check for vulnerabilities in your container image with\n[Trivy](https://github.com/aquasecurity/trivy).\n\n![Screenshot](.github/scan-action.png)\n\n___\n\n* [Usage](#usage)\n * [Scan image](#scan-image)\n * [Scan tarball](#scan-tarball)\n * [Severity threshold](#severity-threshold)\n * [GitHub annotations](#github-annotations)\n * [Upload to GitHub Code Scanning](#upload-to-github-code-scanning)\n * [Build, scan and push your image](#build-scan-and-push-your-image)\n* [Customizing](#customizing)\n * [inputs](#inputs)\n * [outputs](#outputs)\n* [Notes](#notes)\n * [`GITHUB_TOKEN` Minimum Permissions](#github_token-minimum-permissions)\n * [`Advanced Security must be enabled for this repository to use code scanning`](#advanced-security-must-be-enabled-for-this-repository-to-use-code-scanning) \n * [`failed to copy the image: write /tmp/fanal-2740541230: no space left on device`](#failed-to-copy-the-image-write-tmpfanal-2740541230-no-space-left-on-device)\n * [`timeout: context deadline exceeded`](#timeout-context-deadline-exceeded)\n * [`could not parse reference: ghcr.io/UserName/myimage:latest`](#could-not-parse-reference-ghcriousernamemyimagelatest)\n* [Contributing](#contributing)\n* [License](#license)\n\n## Usage\n\n### Scan image\n\n```yaml\nname: ci\n\non:\n push:\n\njobs:\n scan:\n runs-on: ubuntu-latest\n steps:\n -\n name: Checkout\n uses: actions/checkout@v3\n -\n name: Build\n uses: docker/build-push-action@v4\n with:\n context: .\n push: true\n tags: user/app:latest\n -\n name: Scan for vulnerabilities\n uses: crazy-max/ghaction-container-scan@v3\n with:\n image: user/app:latest\n```\n\n### Scan tarball\n\n```yaml\nname: ci\n\non:\n push:\n\njobs:\n scan:\n runs-on: ubuntu-latest\n steps:\n -\n name: Checkout\n uses: actions/checkout@v3\n -\n name: Set up Docker Buildx\n uses: docker/setup-buildx-action@v2\n -\n name: Build\n uses: docker/build-push-action@v4\n with:\n context: .\n outputs: type=docker,dest=/tmp/image.tar\n tags: user/app:latest\n -\n name: Scan for vulnerabilities\n uses: crazy-max/ghaction-container-scan@v3\n with:\n tarball: /tmp/image.tar\n```\n\n### Severity threshold\n\nYou can define a threshold for severity to mark the job as failed:\n\n```yaml\nname: ci\n\non:\n push:\n\njobs:\n scan:\n runs-on: ubuntu-latest\n steps:\n -\n name: Checkout\n uses: actions/checkout@v3\n -\n name: Build\n uses: docker/build-push-action@v4\n with:\n context: .\n push: true\n tags: user/app:latest\n -\n name: Scan for vulnerabilities\n uses: crazy-max/ghaction-container-scan@v3\n with:\n image: user/app:latest\n severity_threshold: HIGH\n```\n\n![Severity threshold](.github/threshold.png)\n\n### GitHub annotations\n\nThis action is also able to create GitHub annotations in your workflow for\nvulnerabilities discovered:\n\n```yaml\nname: ci\n\non:\n push:\n\njobs:\n scan:\n runs-on: ubuntu-latest\n steps:\n -\n name: Checkout\n uses: actions/checkout@v3\n -\n name: Build\n uses: docker/build-push-action@v4\n with:\n context: .\n push: true\n tags: user/app:latest\n -\n name: Scan for vulnerabilities\n uses: crazy-max/ghaction-container-scan@v3\n with:\n image: user/app:latest\n annotations: true\n```\n\n![GitHub annotations](.github/annotations.png)\n\n### Upload to GitHub Code Scanning\n\nThis action also supports the [SARIF format](https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github)\nfor integration with [GitHub Code Scanning](https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/about-code-scanning)\nto show issues in the [GitHub Security](https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository)\ntab:\n\n```yaml\nname: ci\n\non:\n push:\n\njobs:\n scan:\n runs-on: ubuntu-latest\n steps:\n -\n name: Checkout\n uses: actions/checkout@v3\n -\n name: Build\n uses: docker/build-push-action@v4\n with:\n context: .\n push: true\n tags: user/app:latest\n -\n name: Scan for vulnerabilities\n id: scan\n uses: crazy-max/ghaction-container-scan@v3\n with:\n image: user/app:latest\n dockerfile: ./Dockerfile\n -\n name: Upload SARIF file\n if: ${{ steps.scan.outputs.sarif != '' }}\n uses: github/codeql-action/upload-sarif@v2\n with:\n sarif_file: ${{ steps.scan.outputs.sarif }}\n```\n\n\u003e :bulb: `dockerfile` input is required to generate a sarif report.\n\n![GitHub Code Scanning](.github/codeql.png)\n\n### Build, scan and push your image\n\n```yaml\nname: ci\n\non:\n push:\n\njobs:\n scan:\n runs-on: ubuntu-latest\n steps:\n -\n name: Checkout\n uses: actions/checkout@v3\n -\n name: Set up QEMU\n uses: docker/setup-qemu-action@v2\n -\n name: Set up Docker Buildx\n uses: docker/setup-buildx-action@v2\n -\n name: Build and load\n uses: docker/build-push-action@v4\n with:\n context: .\n load: true\n tags: user/app:latest\n -\n name: Scan for vulnerabilities\n id: scan\n uses: crazy-max/ghaction-container-scan@v3\n with:\n image: user/app:latest\n dockerfile: ./Dockerfile\n -\n name: Build multi-platform and push\n uses: docker/build-push-action@v4\n with:\n context: .\n platforms: linux/amd64,linux/arm64\n push: true\n tags: user/app:latest\n```\n\n## Customizing\n\n### inputs\n\nThe following inputs can be used as `step.with` keys:\n\n| Name | Type | Description |\n|----------------------|--------|--------------------------------------------------------------------------------------------------|\n| `trivy_version` | String | [Trivy CLI](https://github.com/aquasecurity/trivy) version (default `latest`) |\n| `image` | String | Container image to scan (e.g. `alpine:3.7`) |\n| `tarball` | String | Container image tarball path to scan |\n| `dockerfile` | String | Dockerfile required to generate a sarif report |\n| `severity` | String | Report vulnerabilities of provided level or higher (default: `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`) |\n| `severity_threshold` | String | Defines threshold for severity |\n| `ignore_unfixed` | Bool | Ignore unfixed vulnerabilities | \n| `annotations` | Bool | Create GitHub annotations in your workflow for vulnerabilities discovered |\n\n### outputs\n\nThe following outputs are available:\n\n| Name | Type | Description |\n|---------|------|--------------------------|\n| `json` | File | JSON format scan result |\n| `sarif` | File | SARIF format scan result |\n\n## Notes\n\n### GITHUB_TOKEN Minimum Permissions\n\nIf you want the scan to include the Dockerfile, you'll need to checkout the repository and give the job:\n\n```yaml\npermissions:\n contents: read\n```\n\nIf you want to upload the SARIF report to GitHub Security, you'll need to add these permissions to the job:\n\n```yaml\npermissions:\n actions: read\n security-events: write\n```\n\n### `Advanced Security must be enabled for this repository to use code scanning`\n\nIf you receive this error, it likely means you're using a private repository\nand trying to upload SARIF reports, which requires an org admin to enable\nAdvanced Security for the repository.\n\n### `failed to copy the image: write /tmp/fanal-2740541230: no space left on device`\n\nIf you encounter this error, you probably have a huge image to scan so you may\nneed to free up some space in your runner. You can remove the dotnet framework\nfor example that takes around 23GB of disk space:\n\n```yaml\n -\n name: Remove dotnet\n run: sudo rm -rf /usr/share/dotnet\n -\n name: Scan for vulnerabilities\n uses: crazy-max/ghaction-container-scan@v3\n with:\n image: user/app:latest\n```\n\n### `timeout: context deadline exceeded`\n\nThis error is caused by the timeout of the `trivy` command. You can increase\nthe timeout by setting `TRIVY_TIMEOUT` environment variable:\n\n```yaml\n -\n name: Scan for vulnerabilities\n uses: crazy-max/ghaction-container-scan@v3\n with:\n image: user/app:latest\n env:\n TRIVY_TIMEOUT: 10m\n```\n\n### `could not parse reference: ghcr.io/UserName/myimage:latest`\n\nYou may encounter this issue if you're using `github.repository` as a\nrepo slug for the image input:\n\n```\nError: 2021-11-30T09:52:13.115Z\tFATAL\tscan error: unable to initialize a scanner: unable to initialize a docker scanner: failed to parse the image name: could not parse reference: ghcr.io/UserName/myimage:latest\n```\n\nTo fix this issue you can use our [metadata action](https://github.com/docker/metadata-action)\nto generate sanitized tags:\n\n```yaml\n-\n name: Docker meta\n id: meta\n uses: docker/metadata-action@v4\n with:\n images: ghcr.io/${{ github.repository }}\n tags: latest\n-\n name: Build and push\n uses: docker/build-push-action@v4\n with:\n context: .\n push: true\n tags: ${{ steps.meta.outputs.tags }}\n-\n name: Scan for vulnerabilities\n id: scan\n uses: crazy-max/ghaction-container-scan@v3\n with:\n image: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}\n dockerfile: ./Dockerfile\n```\n\nOr a dedicated step to sanitize the slug:\n\n```yaml\n-\n name: Sanitize repo slug\n uses: actions/github-script@v6\n id: repo_slug\n with:\n result-encoding: string\n script: return 'ghcr.io/${{ github.repository }}'.toLowerCase()\n-\n name: Build and push\n uses: docker/build-push-action@v4\n with:\n context: .\n push: true\n tags: ${{ steps.repo_slug.outputs.result }}:latest\n-\n name: Scan for vulnerabilities\n id: scan\n uses: crazy-max/ghaction-container-scan@v3\n with:\n image: ${{ steps.repo_slug.outputs.result }}:latest\n dockerfile: ./Dockerfile\n```\n\n## Contributing\n\nWant to contribute? Awesome! The most basic way to show your support is to star\nthe project, or to raise issues. You can also support this project by [**becoming a sponsor on GitHub**](https://github.com/sponsors/crazy-max)\nor by making a [PayPal donation](https://www.paypal.me/crazyws) to ensure this\njourney continues indefinitely!\n\nThanks again for your support, it is much appreciated! :pray:\n\n## License\n\nMIT. See `LICENSE` for more details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcrazy-max%2Fghaction-container-scan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcrazy-max%2Fghaction-container-scan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcrazy-max%2Fghaction-container-scan/lists"}