Skip to content

Fix scanner image step in all four original CI templates#4

Merged
beejak merged 1 commit into
mainfrom
claude/repo-testing-strategy-rygscm
Jul 2, 2026
Merged

Fix scanner image step in all four original CI templates#4
beejak merged 1 commit into
mainfrom
claude/repo-testing-strategy-rygscm

Conversation

@beejak

@beejak beejak commented Jul 1, 2026

Copy link
Copy Markdown
Owner

Summary

  • All four original CI templates (ci/github/workflow.example.yml, ci/gitlab/job.example.yml, ci/azure/pipeline.example.yml, ci/jenkins/Jenkinsfile.example) had docker build as the primary path for pulling the scanner image
  • When a user copies these templates into their own repo, docker build . targets their application's Dockerfile, producing a second app image tagged as scanner:latest — the scanner CLI then never runs
  • Switch to docker pull ghcr.io/beejak/docker-scanner:latest as the default; build-from-source is now the commented alternative
  • Mirrors the same fix already applied to the four prose guides in docs/ci/ (merged in PR Expand CI guides from stubs to full reference docs; update primer and lessons #3)

Generated by Claude Code

Greptile Summary

This PR fixes all four CI templates (github, gitlab, azure, jenkins) to pull the scanner image from GHCR instead of running docker build ., mirroring the fix already applied to the prose guides in docs/ci/ via PR #3.

  • GitLab, Azure, Jenkins: straightforward swap of docker build for docker pull ghcr.io/beejak/docker-scanner:latest + docker tag; looks correct.
  • GitHub Actions: adds a docker login ghcr.io step using GITHUB_TOKEN, but the permissions block is missing packages: read, and the repo's own docs note that GITHUB_TOKEN cannot access packages outside the same org — meaning users copying the template into their own repos will have a token scoped to their org, not beejak's.
  • Jenkinsfile: the stage name was correctly updated but the top-of-file What this does comment still says "Builds the scanner image" — the only file in the PR where the header description was not updated.

Confidence Score: 3/5

Three of four templates are clean, but the GitHub Actions template has a docker login step that relies on GITHUB_TOKEN to pull from a different org's GHCR namespace — the token can't cross org boundaries, and the required packages: read permission is absent from the permissions block.

The GitLab, Azure, and Jenkins changes are correct and safe. The GitHub Actions template introduces a GHCR login that will silently fail for any user copying the template into their own repo: GITHUB_TOKEN is scoped to the caller's org, not beejak's, and packages: read is not declared in the permissions block.

ci/github/workflow.example.yml — the permissions block and docker login step need attention before this template is distributed to users.

Important Files Changed

Filename Overview
ci/github/workflow.example.yml Switches scanner step from docker build to docker pull; adds a GHCR login using GITHUB_TOKEN that is missing packages: read permission and cannot cross org boundaries to pull beejak's image.
ci/gitlab/job.example.yml Switches scanner step from docker build to docker pull ghcr.io/beejak/docker-scanner:latest + docker tag; no issues found.
ci/azure/pipeline.example.yml Switches scanner step from docker build to docker pull + docker tag using a multi-line script block; no issues found.
ci/jenkins/Jenkinsfile.example Renames stage to Pull scanner image and switches to docker pull + docker tag; top-of-file description comment still says Builds the scanner image (missed in the PR).

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant CI as CI Runner
    participant GHCR as ghcr.io/beejak
    participant Daemon as Docker Daemon
    participant Scanner as scanner:latest

    CI->>Daemon: docker build -t app:SHA .
    Note over CI,Daemon: Build application image (unchanged)

    CI->>GHCR: docker pull ghcr.io/beejak/docker-scanner:latest
    GHCR-->>Daemon: scanner image layers
    CI->>Daemon: docker tag ghcr.io/beejak/docker-scanner:latest scanner:latest
    Note over CI,GHCR: New path (this PR) — replaces docker build . for scanner

    CI->>Daemon: docker run --rm scanner:latest scan --image app:SHA ...
    Daemon->>Scanner: start scanner container
    Scanner-->>CI: reports/ (SARIF, MD, HTML, CSV, SBOM)

    CI->>CI: upload SARIF / artifacts
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant CI as CI Runner
    participant GHCR as ghcr.io/beejak
    participant Daemon as Docker Daemon
    participant Scanner as scanner:latest

    CI->>Daemon: docker build -t app:SHA .
    Note over CI,Daemon: Build application image (unchanged)

    CI->>GHCR: docker pull ghcr.io/beejak/docker-scanner:latest
    GHCR-->>Daemon: scanner image layers
    CI->>Daemon: docker tag ghcr.io/beejak/docker-scanner:latest scanner:latest
    Note over CI,GHCR: New path (this PR) — replaces docker build . for scanner

    CI->>Daemon: docker run --rm scanner:latest scan --image app:SHA ...
    Daemon->>Scanner: start scanner container
    Scanner-->>CI: reports/ (SARIF, MD, HTML, CSV, SBOM)

    CI->>CI: upload SARIF / artifacts
Loading

Comments Outside Diff (2)

  1. ci/jenkins/Jenkinsfile.example, line 5 (link)

    P2 The top-of-file description was not updated to match the stage rename — it still reads "Builds the scanner image" while the stage is now "Pull scanner image". All three other CI templates had their equivalent header comments updated in this PR.

    Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

    Fix in Claude Code Fix in Cursor

  2. ci/github/workflow.example.yml, line 29-52 (link)

    P1 Missing packages: read permission and cross-org token limitation

    The template logs in to GHCR with GITHUB_TOKEN, but two things will break this for users who copy the template:

    1. The permissions block only declares contents: read and security-events: write. The repo's own docs explicitly state packages: read is required when using GITHUB_TOKEN with GHCR — without it the token lacks the scope to pull any package.
    2. The same docs note that "GITHUB_TOKEN can only access packages belonging to the same repository or organisation." Any user copying this template into their own repo will have a token scoped to their org, not beejak, so the login won't grant access to ghcr.io/beejak/docker-scanner:latest even with packages: read added.

    If the image is public (consistent with Azure/GitLab/Jenkins pulling without any login step), the login is unnecessary and just adds confusion. If it might ever be private or if users adapt this for a private scanner mirror, a PAT stored as a secret (e.g. secrets.GHCR_PAT) is required — not GITHUB_TOKEN. At minimum, packages: read should be added to the permissions block, and the comment should clarify the cross-org limitation.

    Fix in Claude Code Fix in Cursor

Fix All in Claude Code Fix All in Cursor

Reviews (1): Last reviewed commit: "Fix scanner image step in all four origi..." | Re-trigger Greptile

Context used:

  • Context used - Integrations agent — Azure, GitHub, GitLab, Jenkin... (source)

All four templates (GitHub Actions, GitLab CI, Azure DevOps, Jenkins)
had docker build targeting the user's own Dockerfile as the primary
path for the scanner image. This would build a second copy of the
user's app instead of the scanner CLI. Switch to docker pull from
GHCR as the default; build-from-source is now the commented alternative.
Matches the fix already applied to the four prose guides in docs/ci/.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_0189QVFiKNFT5MEsskeEi19t
@beejak beejak merged commit e2ad50a into main Jul 2, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants