From 314f4219305983242885a680661ae92d383dc049 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 1 Jul 2026 09:32:44 +0000 Subject: [PATCH] Fix scanner image step in all four original CI templates All four templates (GitHub Actions, GitLab CI, Azure DevOps, Jenkins) had docker build targeting the user's own Dockerfile as the primary path for the scanner image. This would build a second copy of the user's app instead of the scanner CLI. Switch to docker pull from GHCR as the default; build-from-source is now the commented alternative. Matches the fix already applied to the four prose guides in docs/ci/. Co-Authored-By: Claude Sonnet 4.6 Claude-Session: https://claude.ai/code/session_0189QVFiKNFT5MEsskeEi19t --- ci/azure/pipeline.example.yml | 11 ++++++----- ci/github/workflow.example.yml | 15 ++++++++------- ci/gitlab/job.example.yml | 8 +++++--- ci/jenkins/Jenkinsfile.example | 9 +++++---- 4 files changed, 24 insertions(+), 19 deletions(-) diff --git a/ci/azure/pipeline.example.yml b/ci/azure/pipeline.example.yml index 1ddd6b2..0592ef5 100644 --- a/ci/azure/pipeline.example.yml +++ b/ci/azure/pipeline.example.yml @@ -2,7 +2,7 @@ # # What this does: # 1. Builds your application image -# 2. Builds the scanner image (Trivy + CLI + Web UI server) +# 2. Pulls the scanner image from GHCR (ghcr.io/beejak/docker-scanner:latest) # 3. Runs a full scan: vulnerability detection, runc advisory, SBOM generation # 4. Publishes SARIF to the Azure DevOps Security tab # 5. Publishes all reports + SBOM as pipeline artifacts @@ -46,10 +46,11 @@ steps: tags: "$(Build.BuildId)" arguments: "-t $(imageName)" - - script: docker build -t $(scannerImage) . - displayName: Build scanner image - # Alternatively pull a pre-published scanner image: - # script: docker pull ghcr.io/beejak/docker-scanner:latest && docker tag ... scanner:latest + - script: | + docker pull ghcr.io/beejak/docker-scanner:latest + docker tag ghcr.io/beejak/docker-scanner:latest $(scannerImage) + displayName: Pull scanner image + # To build from source instead: docker build -t $(scannerImage) /path/to/docker-scanner - script: mkdir -p $(reportsDir) displayName: Create reports directory diff --git a/ci/github/workflow.example.yml b/ci/github/workflow.example.yml index ddf8277..29cc93d 100644 --- a/ci/github/workflow.example.yml +++ b/ci/github/workflow.example.yml @@ -2,7 +2,7 @@ # # What this does: # 1. Builds your application image -# 2. Builds the scanner image (Trivy + CLI + Web UI server) +# 2. Pulls the scanner image from GHCR (ghcr.io/beejak/docker-scanner:latest) # 3. Runs a full scan: vulnerability detection, runc advisory, SBOM generation # 4. Uploads SARIF to GitHub Security tab (Code Scanning alerts) # 5. Publishes all reports + SBOM as a pipeline artifact @@ -43,12 +43,13 @@ jobs: - name: Build application image run: docker build -t ${{ env.IMAGE_NAME }} . - # Build the scanner image once; reuse across steps. - - name: Build scanner image - run: docker build -t ${{ env.SCANNER_IMAGE }} . - working-directory: ${{ github.workspace }} - # If the scanner image is published to a registry, pull instead of build: - # run: docker pull ghcr.io/beejak/docker-scanner:latest && docker tag ... scanner:latest + # Pull the published scanner image from GHCR. No scanner source required. + - name: Pull scanner image + run: | + echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin + docker pull ghcr.io/beejak/docker-scanner:latest + docker tag ghcr.io/beejak/docker-scanner:latest ${{ env.SCANNER_IMAGE }} + # To build from source instead: docker build -t ${{ env.SCANNER_IMAGE }} /path/to/docker-scanner - name: Create reports directory run: mkdir -p reports diff --git a/ci/gitlab/job.example.yml b/ci/gitlab/job.example.yml index 3164013..b2d06b9 100644 --- a/ci/gitlab/job.example.yml +++ b/ci/gitlab/job.example.yml @@ -2,7 +2,7 @@ # # What this does: # 1. Builds your application image -# 2. Builds the scanner image (Trivy + CLI + Web UI server) +# 2. Pulls the scanner image from GHCR (ghcr.io/beejak/docker-scanner:latest) # 3. Runs a full scan: vulnerability detection, runc advisory, SBOM generation # 4. Publishes SARIF to the GitLab Security dashboard (Container Scanning report) # 5. Stores all reports + SBOM as job artifacts (30-day retention) @@ -38,8 +38,10 @@ container-scan: needs: [build] script: - docker pull "$IMAGE_NAME" - # Build scanner image from this repo (or pull a pre-published one). - - docker build -t "$SCANNER_IMAGE" . + # Pull the published scanner image from GHCR. No scanner source required. + # To build from source: docker build -t "$SCANNER_IMAGE" /path/to/docker-scanner + - docker pull ghcr.io/beejak/docker-scanner:latest + - docker tag ghcr.io/beejak/docker-scanner:latest "$SCANNER_IMAGE" - mkdir -p reports # Full scan: all formats + runc advisory + SBOM + fail-on policy. - | diff --git a/ci/jenkins/Jenkinsfile.example b/ci/jenkins/Jenkinsfile.example index 8873324..cfbba0c 100644 --- a/ci/jenkins/Jenkinsfile.example +++ b/ci/jenkins/Jenkinsfile.example @@ -32,11 +32,12 @@ pipeline { } } - stage('Build scanner image') { + stage('Pull scanner image') { steps { - // Alternatively pull a pre-published scanner image: - // sh 'docker pull ghcr.io/beejak/docker-scanner:latest && docker tag ... scanner:latest' - sh 'docker build -t ${SCANNER_IMAGE} .' + // Pull the published scanner image from GHCR. No scanner source required. + // To build from source: sh 'docker build -t ${SCANNER_IMAGE} /path/to/docker-scanner' + sh 'docker pull ghcr.io/beejak/docker-scanner:latest' + sh 'docker tag ghcr.io/beejak/docker-scanner:latest ${SCANNER_IMAGE}' } }