https://github.com/vipulgupta2048/chps-scorer-github-action
GitHub Action for chps-scorer
https://github.com/vipulgupta2048/chps-scorer-github-action
chps container cve github-actions security
Last synced: 19 days ago
JSON representation
GitHub Action for chps-scorer
- Host: GitHub
- URL: https://github.com/vipulgupta2048/chps-scorer-github-action
- Owner: vipulgupta2048
- License: apache-2.0
- Created: 2025-04-22T08:36:52.000Z (21 days ago)
- Default Branch: main
- Last Pushed: 2025-04-22T20:04:54.000Z (20 days ago)
- Last Synced: 2025-04-24T01:13:44.861Z (19 days ago)
- Topics: chps, container, cve, github-actions, security
- Homepage:
- Size: 25.4 KB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# CHPs Scorer GitHub Action
[](https://github.com/marketplace/actions/chps-scorer)
GitHub Action to run automated security checks on container images according to [CHPs specification](https://github.com/chps-dev/chps) (Container Hardening Points).
This action assesses container images against multiple security vectors and gives them a grade (A+ to E) based on their:
- Minimalism (image size, layer count, etc.)
- Provenance (build sources, signatures, etc.)
- Configuration (user, permissions, etc.)
- CVE vulnerabilities
When used in conjunction with [Create Issue From File](https://github.com/peter-evans/create-issue-from-file), issues will be opened when the action finds security problems (make sure to specify the `issues: write` permission in the [workflow](https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#permissions) or the [job](https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions)).
## Usage
Here is a full example of a GitHub workflow file:
This workflow will scan your container images once every day and create an issue if security issues are found. Save this under `.github/workflows/chps-scorer.yml`:
```yaml
name: "CHPs Container Security Check"
on:
repository_dispatch:
workflow_dispatch:
schedule:
- cron: "00 18 * * *"
jobs:
chps-scorer:
runs-on: ubuntu-latest
permissions:
issues: write # required for peter-evans/create-issue-from-file
steps:
- uses: actions/checkout@v4
- name: CHPs Security Check
id: chps-scorer
uses: vipulgupta2048/chps-scorer-github-action@v1
with:
image: REPLACE_WITH:YOUR_IMAGE
dockerfile: ./Dockerfile
- name: Write CHPS Report to File
run: |
echo "${{ steps.chps-score.outputs.output }}" > chps-report.md
- name: Create Issue
uses: peter-evans/create-issue-from-file@v5
with:
title: Container Security Issues Detected
content-filepath: ./chps-report.md
labels: security, container, automated-issue
```
## Inputs
| Input | Required | Default | Description |
|----------------|----------|---------|-----------------------------------------------------------|
| image | Yes | - | Container image to scan (e.g., nginx:latest) |
| output-format | No | json | Output format (options: json) |
| skip-cves | No | false | Skip CVE scanning |
| dockerfile | No | - | Path to Dockerfile for additional checks |
## Outputs
| Output | Description |
|----------------|----------------------------------------------------------|
| output | Whether findings should trigger an issue (true/false) |
## Examples
### Basic scan of a public image
```yaml
- name: Scan nginx image
uses: vipulgupta2048/chps-scorer-github-action@v1
with:
image: nginx:latest
```
### Create a GitHub issue with the report
```yaml
- name: Scan custom image with Dockerfile
uses: vipulgupta2048/chps-scorer-github-action@v1
with:
image: my-custom-image:latest
dockerfile: ./path/to/Dockerfile
- name: Write CHPS Report to File
run: |
echo "${{ steps.chps-score.outputs.output }}" > chps-report.md
- name: Create Issue from File
uses: peter-evans/create-issue-from-file@v4
with:
title: CHPS Security Findings
content-filepath: chps-report.md
labels: security, docker, chps-scorer
```
Example issue: https://github.com/vipulgupta2048/chps-scorer-github-action/issues/3
### Skip CVE scanning for faster results
```yaml
- name: Quick scan without CVEs
uses: vipulgupta2048/chps-scorer-github-action@v1
with:
image: my-image:latest
skip-cves: true
```
## Security and Updates
It is recommended to pin the CHPs Scorer action to a fixed version for security reasons. You can use Dependabot to automatically keep your GitHub actions up-to-date. This is a great way to pin the action while still receiving updates.
Create a file named `.github/dependabot.yml` with the following contents:
```yml
version: 2
updates:
- package-ecosystem: "github-actions"
directory: ".github/workflows"
schedule:
interval: "weekly"
```
When you add or update the `dependabot.yml` file, this triggers an immediate check for version updates.
See [the documentation](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file) for all configuration options.
### Security tip
For additional security when relying on automation to update actions, you can pin the action to a SHA-256 instead of the semver version to avoid tag spoofing. Dependabot will still be able to automatically update this.
For example:
```yml
- name: CHPs Security Check
uses: vipulgupta2048/chps-scorer-github-action@abcdef123456789abcdef123456789abcdef1234 # v1.0.0
```
## License
This action is licensed under the Apache License, Version 2.0.