{"id":36749971,"url":"https://github.com/wgtechlabs/container-build-flow-action","last_synced_at":"2026-02-28T12:47:48.580Z","repository":{"id":326077511,"uuid":"1094162765","full_name":"wgtechlabs/container-build-flow-action","owner":"wgtechlabs","description":"Intelligent docker container build automation for modern development workflows.","archived":false,"fork":false,"pushed_at":"2026-02-17T06:23:33.000Z","size":234,"stargazers_count":3,"open_issues_count":6,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-17T11:32:49.058Z","etag":null,"topics":["docker","ghcr","security","workflow-automation"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wgtechlabs.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":".github/funding.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null},"funding":{"github":["wgtechlabs","warengonzaga"],"buy_me_a_coffee":"wgtechlabs"}},"created_at":"2025-11-11T10:43:13.000Z","updated_at":"2026-02-17T06:20:01.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/wgtechlabs/container-build-flow-action","commit_stats":null,"previous_names":["wgtechlabs/container-build-flow-action"],"tags_count":14,"template":false,"template_full_name":null,"purl":"pkg:github/wgtechlabs/container-build-flow-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wgtechlabs%2Fcontainer-build-flow-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wgtechlabs%2Fcontainer-build-flow-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wgtechlabs%2Fcontainer-build-flow-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wgtechlabs%2Fcontainer-build-flow-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wgtechlabs","download_url":"https://codeload.github.com/wgtechlabs/container-build-flow-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wgtechlabs%2Fcontainer-build-flow-action/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29934450,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-28T12:34:16.884Z","status":"ssl_error","status_checked_at":"2026-02-28T12:34:13.721Z","response_time":90,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","ghcr","security","workflow-automation"],"created_at":"2026-01-12T12:43:09.113Z","updated_at":"2026-02-28T12:47:48.555Z","avatar_url":"https://github.com/wgtechlabs.png","language":"JavaScript","funding_links":["https://github.com/sponsors/wgtechlabs","https://github.com/sponsors/warengonzaga","https://buymeacoffee.com/wgtechlabs"],"categories":[],"sub_categories":[],"readme":"# Container Build Flow Action 🐳\n\n[![GitHub Marketplace](https://img.shields.io/badge/Marketplace-Container%20Build%20Flow-blue.svg?colorA=24292e\u0026colorB=0366d6\u0026style=flat\u0026longCache=true\u0026logo=github)](https://github.com/marketplace/actions/container-build-flow-action) [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) [![GitHub Release](https://img.shields.io/github/release/wgtechlabs/container-build-flow-action.svg)](https://github.com/wgtechlabs/container-build-flow-action/releases) [![Made by WG Tech Labs](https://img.shields.io/badge/made%20by-WG%20Tech%20Labs-0060a0.svg?logo=github\u0026longCache=true\u0026labelColor=181717\u0026style=flat-square)](https://github.com/wgtechlabs)\n\n\u003e **Intelligent container build automation for modern development workflows.**  \n\u003e Automated Docker/Container builds with branch-aware tagging for Docker Hub and GitHub Container Registry.\n\nStop writing repetitive Docker build workflows. This GitHub Action automatically detects your branch context (PR, dev, patch, or WIP) and builds container images with intelligent tags—no configuration gymnastics required.\n\n---\n\n## 🎯 Why Use This Action?\n\n**The Problem:**  \nBuilding containers across multiple branches with different tagging strategies is repetitive and error-prone. Teams waste time writing similar workflows for PRs, development, staging, and production.\n\n**The Solution:**  \nOne action that intelligently detects your workflow context and applies the right tags automatically. Whether it's a feature PR, a dev→main promotion, or an emergency hotfix, your containers get tagged correctly—every time.\n\n---\n\n## 🔍 How It Works\n\nThis action analyzes your GitHub workflow context and automatically determines the appropriate build flow:\n\n```mermaid\ngraph LR\n    A[Push/PR Event] --\u003e B{Detect Context}\n    B --\u003e|PR → dev| C[pr-sha]\n    B --\u003e|dev → main| D[dev-sha]\n    B --\u003e|hotfix → main| E[patch-sha]\n    B --\u003e|push → main| F[staging-sha]\n    B --\u003e|other| G[wip-sha]\n    C --\u003e H[Build \u0026 Push]\n    D --\u003e H\n    E --\u003e H\n    F --\u003e H\n    G --\u003e H\n    H --\u003e I[PR Comment]\n```\n\n**No manual configuration needed.** Just add the action to your workflow, and it handles branch detection, tagging, building, and PR comments automatically for all flow types—whether triggered by pull requests or direct pushes to tracked branches.\n\n---\n\n## ✨ Features\n\n- 🎯 **Intelligent Flow Detection** - Automatically detects PR context and assigns appropriate build tags\n- 🐳 **Dual Registry Support** - Push to Docker Hub, GHCR, or both simultaneously\n- 🏷️ **Smart Tagging Strategy** - `pr-{sha}`, `dev-{sha}`, `patch-{sha}`, `wip-{sha}` flows\n- 🔧 **Highly Configurable** - Customize branches, registries, build options, and more\n- 💬 **Smart PR Comments** - Automatic pull instructions posted to PRs for all flow types (push and pull_request events)\n- 🚀 **Multi-Platform Builds** - Support for `linux/amd64`, `linux/arm64`, and more\n- 🔐 **Security-First** - Built-in SBOM and provenance attestations\n- 🔒 **Built-in Security Scanning** - Comprehensive vulnerability scanning with Trivy (source code, Dockerfile, and container images)\n- ⚡ **Build Cache** - GitHub Actions cache integration for faster builds\n\n\u003e [!NOTE]\n\u003e Security scanning is **enabled by default** with built-in optimizations: intelligent caching, fallback registries (`mirror.gcr.io`), and minimal overhead (~2-5 min). First run downloads the vulnerability database; subsequent scans use cached data.\n\n---\n\n## 💡 Before \u0026 After\n\n\u003ctable\u003e\n\u003ctr\u003e\n\u003cth\u003e❌ Without This Action\u003c/th\u003e\n\u003cth\u003e✅ With This Action\u003c/th\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd\u003e\n\n```yaml\n# Multiple jobs for different flows\nbuild-pr:\n  if: github.event_name == 'pull_request'\n  steps:\n    - run: docker build -t app:pr-$SHA .\n    \nbuild-dev:\n  if: github.ref == 'refs/heads/dev'\n  steps:\n    - run: docker build -t app:dev-$SHA .\n    \nbuild-patch:\n  if: contains(github.head_ref, 'hotfix')\n  steps:\n    - run: docker build -t app:patch-$SHA .\n\n# ... 50+ lines of repetitive config\n```\n\n\u003c/td\u003e\n\u003ctd\u003e\n\n```yaml\n# One job handles everything\nbuild:\n  steps:\n    - uses: wgtechlabs/container-build-flow-action@v1\n      with:\n        dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}\n        dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}\n\n# Done! Automatically detects flow,\n# builds, tags, and pushes correctly\n```\n\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/table\u003e\n\n**Result:** Reduce workflow complexity by 80%+ while gaining automatic PR comments, multi-registry support, and intelligent tagging.\n\n---\n\n## 📋 Build Flow Types\n\nAll flow types use **commit SHA** (first 7 characters) for tagging, ensuring traceability back to the exact code that was built.\n\n| Flow Type | Trigger | Tag Format | Use Case |\n|-----------|---------|------------|----------|\n| **PR** | Pull Request → `dev` branch | `pr-{sha}` | Feature development and testing |\n| **DEV** | Pull Request from `dev` → `main` OR Push to `dev` branch | `dev-{sha}` | Development images |\n| **PATCH** | Pull Request → `main` (not from `dev`) | `patch-{sha}` | Hotfixes and emergency patches |\n| **STAGING** | Direct push to `main` branch (after PR merge) | `staging-{sha}` | Pre-production validation before release |\n| **WIP** | Other branches/commits | `wip-{sha}` | Work in progress experiments |\n\n\u003e **Note:** The `{sha}` in each tag represents the **HEAD commit SHA** of the PR or push event, not the PR number. This ensures every build can be traced to its exact source code.\n\n---\n\n## 🏷️ Tagging Strategy\n\n### Why Commit SHA?\n\nEvery image tag includes the commit SHA (first 7 characters) instead of PR numbers for several important reasons:\n\n- **Traceability**: Directly links images to exact source code in Git history\n- **Uniqueness**: Guarantees unique tags even across multiple PRs\n- **Reproducibility**: Makes it easy to rebuild or debug specific versions\n- **CI/CD Integration**: Works seamlessly with GitOps workflows\n\n### Tag Format Examples\n\n```bash\n# Feature PR #42 with commit abc1234\nmyorg/myapp:pr-abc1234\n\n# Dev branch with commit def5678\nmyorg/myapp:dev-def5678\n\n# Staging build after merge to main with commit ghi9012\nmyorg/myapp:staging-ghi9012\n\n# With custom prefix/suffix\nmyorg/myapp:v1-pr-abc1234-alpine\n```\n\n### Workflow Integration\n\n```yaml\n# In your deployment workflow, reference by SHA\n- name: Deploy to Staging\n  run: |\n    docker pull myorg/myapp:staging-${{ github.sha:0:7 }}\n    docker tag myorg/myapp:staging-${{ github.sha:0:7 }} myorg/myapp:latest\n    # Deploy...\n```\n\n---\n\n## 🚀 Quick Start\n\n### Basic Usage\n\n```yaml\nname: Container Build\n\non:\n  pull_request:\n    branches: [main, dev]\n  push:\n    branches: [main, dev]\n\njobs:\n  build:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n      \n      - name: Build and Push Container\n        uses: wgtechlabs/container-build-flow-action@v1\n        with:\n          dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}\n          dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}\n```\n\n### Docker Hub Only\n\n```yaml\n- name: Build and Push to Docker Hub\n  uses: wgtechlabs/container-build-flow-action@v1\n  with:\n    registry: docker-hub\n    dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}\n    dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}\n```\n\n### GHCR Only\n\n```yaml\n- name: Build and Push to GHCR\n  uses: wgtechlabs/container-build-flow-action@v1\n  with:\n    registry: ghcr\n    ghcr-token: ${{ secrets.GITHUB_TOKEN }}\n```\n\n### Custom Branch Names\n\n```yaml\n- name: Build with Custom Branches\n  uses: wgtechlabs/container-build-flow-action@v1\n  with:\n    main-branch: production\n    dev-branch: staging\n    dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}\n    dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}\n```\n\n### Multi-Platform Build\n\n```yaml\n- name: Multi-Platform Build\n  uses: wgtechlabs/container-build-flow-action@v1\n  with:\n    platforms: linux/amd64,linux/arm64\n    dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}\n    dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}\n```\n\n### Advanced Configuration\n\n```yaml\n- name: Advanced Container Build\n  uses: wgtechlabs/container-build-flow-action@v1\n  with:\n    # Registry\n    registry: both\n    dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}\n    dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}\n    \n    # Branch Configuration\n    main-branch: main\n    dev-branch: dev\n    \n    # Build Configuration\n    dockerfile: ./docker/Dockerfile\n    context: .\n    platforms: linux/amd64,linux/arm64\n    build-args: |\n      NODE_ENV=production\n      VERSION=${{ github.sha }}\n    \n    # Tagging\n    tag-prefix: v1-\n    tag-suffix: -alpine\n    \n    # PR Comments\n    pr-comment-enabled: true\n    \n    # Security\n    provenance: true\n    sbom: true\n```\n\n---\n\n## 🔒 Security Scanning\n\nThis action includes comprehensive built-in security scanning using [Trivy](https://trivy.dev/), providing vulnerability detection for your container images, source code, and Dockerfiles—all enabled by default.\n\n### 🎯 Features\n\n- **🔍 Pre-Build Scanning**: Scan source code and Dockerfile before building\n- **🐳 Container Image Scanning**: Scan final container images for vulnerabilities\n- **📊 GitHub Security Integration**: Automatic SARIF upload to GitHub Security tab\n- **💬 PR Comments**: Detailed vulnerability reports in pull request comments\n- **📈 Baseline Comparison**: Compare vulnerabilities against baseline images\n- **🚨 Fail on Vulnerabilities**: Optional build failure on security issues\n- **⚡ Fast \u0026 Configurable**: Customizable severity levels, timeouts, and ignore patterns\n\n### 🚀 Quick Start\n\n**Default Behavior** - Security scanning is enabled automatically:\n\n```yaml\n- name: Build with Security Scanning\n  uses: wgtechlabs/container-build-flow-action@v1\n  with:\n    dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}\n    dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}\n    # Security scanning runs automatically!\n    # - Source code scan\n    # - Dockerfile scan\n    # - Container image scan\n    # - Results uploaded to GitHub Security tab\n    # - Vulnerabilities shown in PR comments\n```\n\n### 📋 Configuration Examples\n\n#### Disable Security Scanning\n\nIf you use your own security tools or want to skip scanning:\n\n```yaml\n- name: Build without Security Scanning\n  uses: wgtechlabs/container-build-flow-action@v1\n  with:\n    dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}\n    dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}\n    pre-build-scan-enabled: false\n    image-scan-enabled: false\n    vulnerability-comment-enabled: false\n```\n\n#### Strict Security (Fail on Vulnerabilities)\n\nFail the build if HIGH or CRITICAL vulnerabilities are found:\n\n```yaml\n- name: Strict Security Build\n  uses: wgtechlabs/container-build-flow-action@v1\n  with:\n    dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}\n    dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}\n    trivy-severity: HIGH,CRITICAL\n    trivy-ignore-unfixed: true\n    fail-on-vulnerability: true\n```\n\n#### Scan All Severity Levels\n\nInclude all vulnerabilities (UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL):\n\n```yaml\n- name: Comprehensive Security Scan\n  uses: wgtechlabs/container-build-flow-action@v1\n  with:\n    dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}\n    dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}\n    trivy-severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL\n```\n\n#### Compare Against Baseline\n\nTrack security improvements by comparing against a baseline image:\n\n```yaml\n- name: Build with Baseline Comparison\n  uses: wgtechlabs/container-build-flow-action@v1\n  with:\n    dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}\n    dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}\n    enable-image-comparison: true\n    comparison-baseline-image: myorg/myapp:latest\n```\n\n#### Skip Specific Directories\n\nExclude directories from scanning (e.g., test fixtures, vendor code):\n\n```yaml\n- name: Build with Selective Scanning\n  uses: wgtechlabs/container-build-flow-action@v1\n  with:\n    dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}\n    dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}\n    trivy-skip-dirs: tests/,vendor/,node_modules/\n```\n\n### 🔧 Advanced Configuration\n\n#### Custom SARIF Categories\n\nOrganize security results with custom categories:\n\n```yaml\n- name: Build with Custom SARIF Categories\n  uses: wgtechlabs/container-build-flow-action@v1\n  with:\n    dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}\n    dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}\n    upload-sarif: true\n    sarif-category-source: my-app-source-scan\n    sarif-category-dockerfile: my-app-dockerfile-scan\n    sarif-category-image: my-app-container-scan\n```\n\n#### Longer Timeout for Large Images\n\nIncrease scan timeout for large container images:\n\n```yaml\n- name: Build Large Image with Extended Timeout\n  uses: wgtechlabs/container-build-flow-action@v1\n  with:\n    dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}\n    dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}\n    trivy-timeout: 20m0s\n```\n\n### 🙈 Ignoring False Positives\n\nCreate a `.trivyignore` file in your repository root:\n\n```bash\n# Copy example file\ncp .trivyignore.example .trivyignore\n\n# Add CVEs to ignore\necho \"CVE-2021-12345\" \u003e\u003e .trivyignore\n```\n\nExample `.trivyignore`:\n\n```\n# Known false positive in test dependencies\nCVE-2021-44228\n# Accepted risk with mitigations\nCVE-2022-12345\n```\n\n**Best Practice**: Always document why a vulnerability is ignored.\n\n### 📊 Viewing Results\n\n**GitHub Security Tab**: View detailed vulnerability reports:\n1. Navigate to your repository\n2. Click **Security** tab\n3. Click **Code scanning alerts**\n4. Filter by tool: **Trivy**\n\n**PR Comments**: Vulnerability summaries are automatically added to PR comments with:\n- Pre-build scan results\n- Container vulnerability counts by severity\n- Comparison with baseline (if enabled)\n- Expandable details for each vulnerability\n- Links to GitHub Security tab\n\n### 🎯 Security Scanning Inputs\n\n| Input | Description | Required | Default |\n|-------|-------------|----------|---------|\n| `pre-build-scan-enabled` | Enable pre-build security scanning | No | `true` |\n| `scan-source-code` | Scan source code and dependencies | No | `true` |\n| `scan-dockerfile` | Scan Dockerfile for misconfigurations | No | `true` |\n| `image-scan-enabled` | Enable post-build container image scanning | No | `true` |\n| `trivy-severity` | Severity levels to scan (comma-separated) | No | `HIGH,CRITICAL` |\n| `trivy-ignore-unfixed` | Ignore vulnerabilities without fixes | No | `false` |\n| `trivy-timeout` | Trivy scan timeout duration | No | `10m0s` |\n| `trivy-skip-dirs` | Directories to skip (comma-separated) | No | `''` |\n| `trivy-skip-files` | Files to skip (comma-separated) | No | `''` |\n| `upload-sarif` | Upload results to GitHub Security tab | No | `true` |\n| `sarif-category-source` | SARIF category for source code scan | No | `trivy-source-scan` |\n| `sarif-category-dockerfile` | SARIF category for Dockerfile scan | No | `trivy-dockerfile-scan` |\n| `sarif-category-image` | SARIF category for container image scan | No | `trivy-container-scan` |\n| `vulnerability-comment-enabled` | Add vulnerability info to PR comments | No | `true` |\n| `enable-image-comparison` | Compare with baseline image | No | `false` |\n| `comparison-baseline-image` | Baseline image for comparison | No | `''` |\n| `fail-on-vulnerability` | Fail build if vulnerabilities found | No | `false` |\n\n### 📤 Security Scanning Outputs\n\n| Output | Description |\n|--------|-------------|\n| `vulnerability-scan-completed` | Whether scanning completed successfully |\n| `total-vulnerabilities` | Total number of vulnerabilities found |\n| `critical-vulnerabilities` | Number of CRITICAL vulnerabilities |\n| `high-vulnerabilities` | Number of HIGH vulnerabilities |\n| `medium-vulnerabilities` | Number of MEDIUM vulnerabilities |\n| `low-vulnerabilities` | Number of LOW vulnerabilities |\n\n**Using Outputs**:\n\n```yaml\n- name: Build Container\n  id: build\n  uses: wgtechlabs/container-build-flow-action@v1\n  with:\n    dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}\n    dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}\n\n- name: Check Vulnerability Results\n  run: |\n    echo \"Scan completed: ${{ steps.build.outputs.vulnerability-scan-completed }}\"\n    echo \"Total vulnerabilities: ${{ steps.build.outputs.total-vulnerabilities }}\"\n    echo \"Critical: ${{ steps.build.outputs.critical-vulnerabilities }}\"\n    echo \"High: ${{ steps.build.outputs.high-vulnerabilities }}\"\n```\n\n### ❓ FAQ\n\n#### Why Trivy instead of Docker Scout?\n\nTrivy is:\n- ✅ Open source and free\n- ✅ No vendor lock-in\n- ✅ Comprehensive (CVE, misconfigurations, secrets, licenses)\n- ✅ Fast and lightweight\n- ✅ Well-maintained by Aqua Security\n- ✅ Native GitHub Actions integration\n\n#### Can I use my own security scanning tools?\n\nYes! Disable the built-in scanning:\n\n```yaml\npre-build-scan-enabled: false\nimage-scan-enabled: false\nvulnerability-comment-enabled: false\n```\n\nThen add your own security scanning steps.\n\n#### Will security scanning slow down my builds?\n\nSecurity scanning adds approximately:\n- **Source code scan**: 30-60 seconds\n- **Dockerfile scan**: 5-10 seconds\n- **Container image scan**: 1-3 minutes\n\nTotal overhead: **2-5 minutes** on average.\n\nTo minimize impact:\n- Use `trivy-severity: HIGH,CRITICAL` (default)\n- Set `trivy-ignore-unfixed: true`\n- Use GitHub Actions caching (automatic)\n\n#### How do I handle false positives?\n\n1. Create a `.trivyignore` file in your repository root\n2. Add CVE IDs to ignore (one per line)\n3. Document why each CVE is ignored\n4. Review ignored CVEs regularly\n\nExample:\n```bash\n# Create from example\ncp .trivyignore.example .trivyignore\n\n# Add specific CVE\necho \"CVE-2021-12345  # False positive in test deps\" \u003e\u003e .trivyignore\n```\n\n#### What permissions are required?\n\nFor full security scanning features, add these to your workflow:\n\n```yaml\npermissions:\n  contents: read           # Read repository content\n  packages: write          # Push to registries\n  security-events: write   # Upload SARIF to Security tab\n  pull-requests: write     # Comment on PRs\n```\n\n### 📚 Example Workflows\n\nSee the [`examples/`](examples/) directory for complete workflow examples:\n- [`basic-scanning.yml`](examples/basic-scanning.yml) - Default security scanning\n- [`strict-security.yml`](examples/strict-security.yml) - Fail on vulnerabilities\n- [`with-comparison.yml`](examples/with-comparison.yml) - Baseline comparison\n\n---\n\n## 📖 Inputs\n\n### Registry Configuration\n\n| Input | Description | Required | Default |\n|-------|-------------|----------|---------|\n| `registry` | Target registry (`docker-hub`, `ghcr`, `both`) | No | `both` |\n| `dockerhub-username` | Docker Hub username | No | `''` |\n| `dockerhub-token` | Docker Hub access token | No | `''` |\n| `ghcr-token` | GitHub token for GHCR | No | `${{ github.token }}` |\n| `ghcr-username` | GitHub username for GHCR | No | `${{ github.repository_owner }}` |\n\n### Branch Configuration\n\n| Input | Description | Required | Default |\n|-------|-------------|----------|---------|\n| `main-branch` | Name of main/production branch | No | `main` |\n| `dev-branch` | Name of development branch | No | `dev` |\n\n### Build Configuration\n\n| Input | Description | Required | Default |\n|-------|-------------|----------|---------|\n| `dockerfile` | Path to Dockerfile | No | `./Dockerfile` |\n| `context` | Build context path | No | `.` |\n| `platforms` | Target platforms (comma-separated) | No | `linux/amd64` |\n| `build-args` | Build arguments (newline-separated) | No | `''` |\n| `labels` | Image labels (newline-separated) | No | `''` |\n| `cache-enabled` | Enable build cache | No | `true` |\n\n### Image Naming\n\n| Input | Description | Required | Default |\n|-------|-------------|----------|---------|\n| `image-name` | Container image name | No | Repository name |\n| `tag-prefix` | Prefix for image tags | No | `''` |\n| `tag-suffix` | Suffix for image tags | No | `''` |\n\n### PR Comments\n\n| Input | Description | Required | Default |\n|-------|-------------|----------|---------|\n| `pr-comment-enabled` | Enable PR comments | No | `true` |\n| `pr-comment-template` | Custom comment template | No | Default template |\n\n### Advanced Options\n\n| Input | Description | Required | Default |\n|-------|-------------|----------|---------|\n| `push-enabled` | Enable registry push | No | `true` |\n| `load-enabled` | Load to Docker daemon | No | `false` |\n| `provenance` | Enable provenance attestation | No | `true` |\n| `sbom` | Enable SBOM attestation | No | `true` |\n\n### Security Scanning\n\n| Input | Description | Required | Default |\n|-------|-------------|----------|---------|\n| `pre-build-scan-enabled` | Enable pre-build security scanning | No | `true` |\n| `scan-source-code` | Scan source code and dependencies | No | `true` |\n| `scan-dockerfile` | Scan Dockerfile for misconfigurations | No | `true` |\n| `image-scan-enabled` | Enable post-build container image scanning | No | `true` |\n| `trivy-severity` | Severity levels to scan (comma-separated) | No | `HIGH,CRITICAL` |\n| `trivy-ignore-unfixed` | Ignore vulnerabilities without fixes | No | `false` |\n| `trivy-timeout` | Trivy scan timeout duration | No | `10m0s` |\n| `trivy-skip-dirs` | Directories to skip (comma-separated) | No | `''` |\n| `trivy-skip-files` | Files to skip (comma-separated) | No | `''` |\n| `upload-sarif` | Upload results to GitHub Security tab | No | `true` |\n| `sarif-category-source` | SARIF category for source code scan | No | `trivy-source-scan` |\n| `sarif-category-dockerfile` | SARIF category for Dockerfile scan | No | `trivy-dockerfile-scan` |\n| `sarif-category-image` | SARIF category for container image scan | No | `trivy-container-scan` |\n| `vulnerability-comment-enabled` | Add vulnerability info to PR comments | No | `true` |\n| `enable-image-comparison` | Compare with baseline image | No | `false` |\n| `comparison-baseline-image` | Baseline image for comparison | No | `''` |\n| `fail-on-vulnerability` | Fail build if vulnerabilities found | No | `false` |\n\n---\n\n## 📤 Outputs\n\n| Output | Description |\n|--------|-------------|\n| `image-tags` | Complete list of applied image tags |\n| `registry-urls` | Full image URLs for each registry |\n| `build-digest` | SHA256 digest of built image |\n| `build-flow-type` | Detected flow type (`pr`, `dev`, `patch`, `staging`, `wip`) |\n| `short-sha` | Short commit SHA used in tags |\n| `vulnerability-scan-completed` | Whether vulnerability scanning completed successfully |\n| `total-vulnerabilities` | Total number of vulnerabilities found |\n| `critical-vulnerabilities` | Number of CRITICAL severity vulnerabilities |\n| `high-vulnerabilities` | Number of HIGH severity vulnerabilities |\n| `medium-vulnerabilities` | Number of MEDIUM severity vulnerabilities |\n| `low-vulnerabilities` | Number of LOW severity vulnerabilities |\n\n### Using Outputs\n\n```yaml\n- name: Build Container\n  id: build\n  uses: wgtechlabs/container-build-flow-action@v1\n  with:\n    dockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}\n    dockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}\n\n- name: Display Build Info\n  run: |\n    echo \"Build Flow: ${{ steps.build.outputs.build-flow-type }}\"\n    echo \"Image Tags: ${{ steps.build.outputs.image-tags }}\"\n    echo \"Registry URLs: ${{ steps.build.outputs.registry-urls }}\"\n    echo \"Digest: ${{ steps.build.outputs.build-digest }}\"\n```\n\n---\n\n## 🔍 Examples\n\n### Example 1: PR to Dev Branch\n\n**Context:** Pull request from `feature/new-api` to `dev`\n\n**Result:**\n- **Flow Type:** `pr`\n- **Tag:** `pr-abc1234` (uses PR HEAD commit SHA)\n- **Comment:** Docker pull instructions automatically posted to PR\n- **Logs:** `✅ Step 2: Build flow detection complete!` → `✅ Step 3: PR comment complete!` → `✅ Step 4: Output generation complete!`\n\n### Example 2: Push to Dev Branch\n\n**Context:** Direct push to `dev` branch with open PR #18\n\n**Result:**\n- **Flow Type:** `dev`\n- **Tag:** `dev-def5678` (uses actual commit SHA)\n- **Comment:** Finds and updates PR #18 automatically\n- **Logs:** `🔍 Push event detected on branch: dev` → `✅ Found associated PR #18` → `✅ Step 3: PR comment complete!`\n\n### Example 3: Dev to Main Promotion\n\n**Context:** Pull request from `dev` to `main`\n\n**Result:**\n- **Flow Type:** `dev`\n- **Tag:** `dev-xyz5678`\n- **Registries:** Both Docker Hub and GHCR\n\n### Example 4: Push to Main Branch (Staging)\n\n**Context:** Direct push to `main` branch (typically after merging a PR)\n\n**Result:**\n- **Flow Type:** `staging`\n- **Tag:** `staging-abc1234` (uses the merge commit SHA)\n- **Purpose:** Pre-production validation - test the exact code that will be released\n- **Workflow:** Build → Deploy to staging environment → Manual validation → Tag for production\n\n\u003e **Best Practice:** Use `staging-{sha}` images for pre-production testing. Once validated, create a semantic version tag (e.g., `v1.2.3`) pointing to the same commit for production deployment.\n\n### Example 5: Hotfix Patch\n\n**Context:** Pull request from `hotfix/critical-bug` to `main`\n\n**Result:**\n- **Flow Type:** `patch`\n- **Tag:** `patch-def9012`\n- **Fast-tracked:** Emergency fix workflow\n\n### Example 6: Work in Progress\n\n**Context:** Push to `experiment/new-feature` branch\n\n**Result:**\n- **Flow Type:** `wip`\n- **Tag:** `wip-ghi3456`\n- **Usage:** Testing and experimentation\n\n---\n\n## 🛠️ Troubleshooting\n\n### Registry Authentication Failed\n\n**Problem:** Login to Docker Hub or GHCR fails\n\n**Solution:**\n```yaml\n# Ensure secrets are properly configured\ndockerhub-username: ${{ secrets.DOCKERHUB_USERNAME }}\ndockerhub-token: ${{ secrets.DOCKERHUB_TOKEN }}\n\n# For GHCR, ensure token has proper permissions\nghcr-token: ${{ secrets.GITHUB_TOKEN }}\n```\n\n### Build Context Not Found\n\n**Problem:** Dockerfile or context path invalid\n\n**Solution:**\n```yaml\ndockerfile: ./path/to/Dockerfile  # Relative to repository root\ncontext: ./app                     # Build context directory\n```\n\n### Multi-Platform Build Fails\n\n**Problem:** Platforms not supported or QEMU missing\n\n**Solution:**\n```yaml\n# Add QEMU setup before action\n- name: Set up QEMU\n  uses: docker/setup-qemu-action@v3\n\n- name: Build Multi-Platform\n  uses: wgtechlabs/container-build-flow-action@v1\n  with:\n    platforms: linux/amd64,linux/arm64\n```\n\n---\n\n## 📚 Resources\n\n- [Docker Build Push Action](https://github.com/docker/build-push-action)\n- [Docker Metadata Action](https://github.com/docker/metadata-action)\n- [GitHub Actions Documentation](https://docs.github.com/en/actions)\n- [Container Registry Best Practices](https://docs.docker.com/build/ci/github-actions/)\n\n---\n\n## 🤝 Contributing\n\nContributions are welcome! Please feel free to submit a Pull Request.\n\n---\n\n## 📄 License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n\n---\n\n## 👨‍💻 Author\n\n**Waren Gonzaga**  \n[WG Technology Labs](https://github.com/wgtechlabs)\n\n---\n\n## 🌟 Support\n\nIf this action helps your workflow, please consider:\n- ⭐ Starring the repository\n- 🐛 Reporting issues\n- 💡 Suggesting new features\n- 📢 Sharing with others\n\n---\n\n\u003cdiv align=\"center\"\u003e\n\n**Built with ❤️ by WG Technology Labs**\n\n[![GitHub](https://img.shields.io/badge/GitHub-WGTechLabs-blue?style=flat-square\u0026logo=github)](https://github.com/wgtechlabs)\n\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwgtechlabs%2Fcontainer-build-flow-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwgtechlabs%2Fcontainer-build-flow-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwgtechlabs%2Fcontainer-build-flow-action/lists"}