Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 6 additions & 5 deletions ci/azure/pipeline.example.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
#
# What this does:
# 1. Builds your application image
# 2. Builds the scanner image (Trivy + CLI + Web UI server)
# 2. Pulls the scanner image from GHCR (ghcr.io/beejak/docker-scanner:latest)
# 3. Runs a full scan: vulnerability detection, runc advisory, SBOM generation
# 4. Publishes SARIF to the Azure DevOps Security tab
# 5. Publishes all reports + SBOM as pipeline artifacts
Expand Down Expand Up @@ -46,10 +46,11 @@ steps:
tags: "$(Build.BuildId)"
arguments: "-t $(imageName)"

- script: docker build -t $(scannerImage) .
displayName: Build scanner image
# Alternatively pull a pre-published scanner image:
# script: docker pull ghcr.io/beejak/docker-scanner:latest && docker tag ... scanner:latest
- script: |
docker pull ghcr.io/beejak/docker-scanner:latest
docker tag ghcr.io/beejak/docker-scanner:latest $(scannerImage)
displayName: Pull scanner image
# To build from source instead: docker build -t $(scannerImage) /path/to/docker-scanner

- script: mkdir -p $(reportsDir)
displayName: Create reports directory
Expand Down
15 changes: 8 additions & 7 deletions ci/github/workflow.example.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
#
# What this does:
# 1. Builds your application image
# 2. Builds the scanner image (Trivy + CLI + Web UI server)
# 2. Pulls the scanner image from GHCR (ghcr.io/beejak/docker-scanner:latest)
# 3. Runs a full scan: vulnerability detection, runc advisory, SBOM generation
# 4. Uploads SARIF to GitHub Security tab (Code Scanning alerts)
# 5. Publishes all reports + SBOM as a pipeline artifact
Expand Down Expand Up @@ -43,12 +43,13 @@ jobs:
- name: Build application image
run: docker build -t ${{ env.IMAGE_NAME }} .

# Build the scanner image once; reuse across steps.
- name: Build scanner image
run: docker build -t ${{ env.SCANNER_IMAGE }} .
working-directory: ${{ github.workspace }}
# If the scanner image is published to a registry, pull instead of build:
# run: docker pull ghcr.io/beejak/docker-scanner:latest && docker tag ... scanner:latest
# Pull the published scanner image from GHCR. No scanner source required.
- name: Pull scanner image
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
docker pull ghcr.io/beejak/docker-scanner:latest
docker tag ghcr.io/beejak/docker-scanner:latest ${{ env.SCANNER_IMAGE }}
# To build from source instead: docker build -t ${{ env.SCANNER_IMAGE }} /path/to/docker-scanner

- name: Create reports directory
run: mkdir -p reports
Expand Down
8 changes: 5 additions & 3 deletions ci/gitlab/job.example.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
#
# What this does:
# 1. Builds your application image
# 2. Builds the scanner image (Trivy + CLI + Web UI server)
# 2. Pulls the scanner image from GHCR (ghcr.io/beejak/docker-scanner:latest)
# 3. Runs a full scan: vulnerability detection, runc advisory, SBOM generation
# 4. Publishes SARIF to the GitLab Security dashboard (Container Scanning report)
# 5. Stores all reports + SBOM as job artifacts (30-day retention)
Expand Down Expand Up @@ -38,8 +38,10 @@ container-scan:
needs: [build]
script:
- docker pull "$IMAGE_NAME"
# Build scanner image from this repo (or pull a pre-published one).
- docker build -t "$SCANNER_IMAGE" .
# Pull the published scanner image from GHCR. No scanner source required.
# To build from source: docker build -t "$SCANNER_IMAGE" /path/to/docker-scanner
- docker pull ghcr.io/beejak/docker-scanner:latest
- docker tag ghcr.io/beejak/docker-scanner:latest "$SCANNER_IMAGE"
- mkdir -p reports
# Full scan: all formats + runc advisory + SBOM + fail-on policy.
- |
Expand Down
9 changes: 5 additions & 4 deletions ci/jenkins/Jenkinsfile.example
Original file line number Diff line number Diff line change
Expand Up @@ -32,11 +32,12 @@ pipeline {
}
}

stage('Build scanner image') {
stage('Pull scanner image') {
steps {
// Alternatively pull a pre-published scanner image:
// sh 'docker pull ghcr.io/beejak/docker-scanner:latest && docker tag ... scanner:latest'
sh 'docker build -t ${SCANNER_IMAGE} .'
// Pull the published scanner image from GHCR. No scanner source required.
// To build from source: sh 'docker build -t ${SCANNER_IMAGE} /path/to/docker-scanner'
sh 'docker pull ghcr.io/beejak/docker-scanner:latest'
sh 'docker tag ghcr.io/beejak/docker-scanner:latest ${SCANNER_IMAGE}'
}
}

Expand Down
Loading