diff --git a/ci/azure/pipeline.example.yml b/ci/azure/pipeline.example.yml index 1ddd6b2..0592ef5 100644 --- a/ci/azure/pipeline.example.yml +++ b/ci/azure/pipeline.example.yml @@ -2,7 +2,7 @@ # # What this does: # 1. Builds your application image -# 2. Builds the scanner image (Trivy + CLI + Web UI server) +# 2. Pulls the scanner image from GHCR (ghcr.io/beejak/docker-scanner:latest) # 3. Runs a full scan: vulnerability detection, runc advisory, SBOM generation # 4. Publishes SARIF to the Azure DevOps Security tab # 5. Publishes all reports + SBOM as pipeline artifacts @@ -46,10 +46,11 @@ steps: tags: "$(Build.BuildId)" arguments: "-t $(imageName)" - - script: docker build -t $(scannerImage) . - displayName: Build scanner image - # Alternatively pull a pre-published scanner image: - # script: docker pull ghcr.io/beejak/docker-scanner:latest && docker tag ... scanner:latest + - script: | + docker pull ghcr.io/beejak/docker-scanner:latest + docker tag ghcr.io/beejak/docker-scanner:latest $(scannerImage) + displayName: Pull scanner image + # To build from source instead: docker build -t $(scannerImage) /path/to/docker-scanner - script: mkdir -p $(reportsDir) displayName: Create reports directory diff --git a/ci/github/workflow.example.yml b/ci/github/workflow.example.yml index ddf8277..29cc93d 100644 --- a/ci/github/workflow.example.yml +++ b/ci/github/workflow.example.yml @@ -2,7 +2,7 @@ # # What this does: # 1. Builds your application image -# 2. Builds the scanner image (Trivy + CLI + Web UI server) +# 2. Pulls the scanner image from GHCR (ghcr.io/beejak/docker-scanner:latest) # 3. Runs a full scan: vulnerability detection, runc advisory, SBOM generation # 4. Uploads SARIF to GitHub Security tab (Code Scanning alerts) # 5. Publishes all reports + SBOM as a pipeline artifact @@ -43,12 +43,13 @@ jobs: - name: Build application image run: docker build -t ${{ env.IMAGE_NAME }} . - # Build the scanner image once; reuse across steps. - - name: Build scanner image - run: docker build -t ${{ env.SCANNER_IMAGE }} . - working-directory: ${{ github.workspace }} - # If the scanner image is published to a registry, pull instead of build: - # run: docker pull ghcr.io/beejak/docker-scanner:latest && docker tag ... scanner:latest + # Pull the published scanner image from GHCR. No scanner source required. + - name: Pull scanner image + run: | + echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin + docker pull ghcr.io/beejak/docker-scanner:latest + docker tag ghcr.io/beejak/docker-scanner:latest ${{ env.SCANNER_IMAGE }} + # To build from source instead: docker build -t ${{ env.SCANNER_IMAGE }} /path/to/docker-scanner - name: Create reports directory run: mkdir -p reports diff --git a/ci/gitlab/job.example.yml b/ci/gitlab/job.example.yml index 3164013..b2d06b9 100644 --- a/ci/gitlab/job.example.yml +++ b/ci/gitlab/job.example.yml @@ -2,7 +2,7 @@ # # What this does: # 1. Builds your application image -# 2. Builds the scanner image (Trivy + CLI + Web UI server) +# 2. Pulls the scanner image from GHCR (ghcr.io/beejak/docker-scanner:latest) # 3. Runs a full scan: vulnerability detection, runc advisory, SBOM generation # 4. Publishes SARIF to the GitLab Security dashboard (Container Scanning report) # 5. Stores all reports + SBOM as job artifacts (30-day retention) @@ -38,8 +38,10 @@ container-scan: needs: [build] script: - docker pull "$IMAGE_NAME" - # Build scanner image from this repo (or pull a pre-published one). - - docker build -t "$SCANNER_IMAGE" . + # Pull the published scanner image from GHCR. No scanner source required. + # To build from source: docker build -t "$SCANNER_IMAGE" /path/to/docker-scanner + - docker pull ghcr.io/beejak/docker-scanner:latest + - docker tag ghcr.io/beejak/docker-scanner:latest "$SCANNER_IMAGE" - mkdir -p reports # Full scan: all formats + runc advisory + SBOM + fail-on policy. - | diff --git a/ci/jenkins/Jenkinsfile.example b/ci/jenkins/Jenkinsfile.example index 8873324..cfbba0c 100644 --- a/ci/jenkins/Jenkinsfile.example +++ b/ci/jenkins/Jenkinsfile.example @@ -32,11 +32,12 @@ pipeline { } } - stage('Build scanner image') { + stage('Pull scanner image') { steps { - // Alternatively pull a pre-published scanner image: - // sh 'docker pull ghcr.io/beejak/docker-scanner:latest && docker tag ... scanner:latest' - sh 'docker build -t ${SCANNER_IMAGE} .' + // Pull the published scanner image from GHCR. No scanner source required. + // To build from source: sh 'docker build -t ${SCANNER_IMAGE} /path/to/docker-scanner' + sh 'docker pull ghcr.io/beejak/docker-scanner:latest' + sh 'docker tag ghcr.io/beejak/docker-scanner:latest ${SCANNER_IMAGE}' } }