Fix scanner image step in all four original CI templates#4
Merged
Conversation
All four templates (GitHub Actions, GitLab CI, Azure DevOps, Jenkins) had docker build targeting the user's own Dockerfile as the primary path for the scanner image. This would build a second copy of the user's app instead of the scanner CLI. Switch to docker pull from GHCR as the default; build-from-source is now the commented alternative. Matches the fix already applied to the four prose guides in docs/ci/. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_0189QVFiKNFT5MEsskeEi19t
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ci/github/workflow.example.yml,ci/gitlab/job.example.yml,ci/azure/pipeline.example.yml,ci/jenkins/Jenkinsfile.example) haddocker buildas the primary path for pulling the scanner imagedocker build .targets their application'sDockerfile, producing a second app image tagged asscanner:latest— the scanner CLI then never runsdocker pull ghcr.io/beejak/docker-scanner:latestas the default; build-from-source is now the commented alternativedocs/ci/(merged in PR Expand CI guides from stubs to full reference docs; update primer and lessons #3)Generated by Claude Code
Greptile Summary
This PR fixes all four CI templates (
github,gitlab,azure,jenkins) to pull the scanner image from GHCR instead of runningdocker build ., mirroring the fix already applied to the prose guides indocs/ci/via PR #3.docker buildfordocker pull ghcr.io/beejak/docker-scanner:latest+docker tag; looks correct.docker login ghcr.iostep usingGITHUB_TOKEN, but thepermissionsblock is missingpackages: read, and the repo's own docs note thatGITHUB_TOKENcannot access packages outside the same org — meaning users copying the template into their own repos will have a token scoped to their org, notbeejak's.What this doescomment still says "Builds the scanner image" — the only file in the PR where the header description was not updated.Confidence Score: 3/5
Three of four templates are clean, but the GitHub Actions template has a docker login step that relies on GITHUB_TOKEN to pull from a different org's GHCR namespace — the token can't cross org boundaries, and the required packages: read permission is absent from the permissions block.
The GitLab, Azure, and Jenkins changes are correct and safe. The GitHub Actions template introduces a GHCR login that will silently fail for any user copying the template into their own repo: GITHUB_TOKEN is scoped to the caller's org, not beejak's, and packages: read is not declared in the permissions block.
ci/github/workflow.example.yml — the permissions block and docker login step need attention before this template is distributed to users.
Important Files Changed
Sequence Diagram
%%{init: {'theme': 'neutral'}}%% sequenceDiagram participant CI as CI Runner participant GHCR as ghcr.io/beejak participant Daemon as Docker Daemon participant Scanner as scanner:latest CI->>Daemon: docker build -t app:SHA . Note over CI,Daemon: Build application image (unchanged) CI->>GHCR: docker pull ghcr.io/beejak/docker-scanner:latest GHCR-->>Daemon: scanner image layers CI->>Daemon: docker tag ghcr.io/beejak/docker-scanner:latest scanner:latest Note over CI,GHCR: New path (this PR) — replaces docker build . for scanner CI->>Daemon: docker run --rm scanner:latest scan --image app:SHA ... Daemon->>Scanner: start scanner container Scanner-->>CI: reports/ (SARIF, MD, HTML, CSV, SBOM) CI->>CI: upload SARIF / artifacts%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%% sequenceDiagram participant CI as CI Runner participant GHCR as ghcr.io/beejak participant Daemon as Docker Daemon participant Scanner as scanner:latest CI->>Daemon: docker build -t app:SHA . Note over CI,Daemon: Build application image (unchanged) CI->>GHCR: docker pull ghcr.io/beejak/docker-scanner:latest GHCR-->>Daemon: scanner image layers CI->>Daemon: docker tag ghcr.io/beejak/docker-scanner:latest scanner:latest Note over CI,GHCR: New path (this PR) — replaces docker build . for scanner CI->>Daemon: docker run --rm scanner:latest scan --image app:SHA ... Daemon->>Scanner: start scanner container Scanner-->>CI: reports/ (SARIF, MD, HTML, CSV, SBOM) CI->>CI: upload SARIF / artifactsComments Outside Diff (2)
ci/jenkins/Jenkinsfile.example, line 5 (link)Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!
ci/github/workflow.example.yml, line 29-52 (link)packages: readpermission and cross-org token limitationThe template logs in to GHCR with
GITHUB_TOKEN, but two things will break this for users who copy the template:permissionsblock only declarescontents: readandsecurity-events: write. The repo's own docs explicitly statepackages: readis required when usingGITHUB_TOKENwith GHCR — without it the token lacks the scope to pull any package.GITHUB_TOKENcan only access packages belonging to the same repository or organisation." Any user copying this template into their own repo will have a token scoped to their org, notbeejak, so the login won't grant access toghcr.io/beejak/docker-scanner:latesteven withpackages: readadded.If the image is public (consistent with Azure/GitLab/Jenkins pulling without any login step), the login is unnecessary and just adds confusion. If it might ever be private or if users adapt this for a private scanner mirror, a PAT stored as a secret (e.g.
secrets.GHCR_PAT) is required — notGITHUB_TOKEN. At minimum,packages: readshould be added to the permissions block, and the comment should clarify the cross-org limitation.Reviews (1): Last reviewed commit: "Fix scanner image step in all four origi..." | Re-trigger Greptile
Context used: