fix #24

Workflow file for this run

.github/workflows/docker-build-scan-push.yml at a720bc1

	name: Docker Build/Scan/Push

	on:
	push:
	branches:
	- main

	# A workflow run is made up of one or more jobs that can run sequentially or in parallel
	jobs:
	Build-Scan-Push:
	runs-on: ubuntu-latest
	permissions:
	security-events: write
	env:
	IMAGE_REPO: fdervisi/wiz-shift-left-demo-app
	IMAGE_TAG: latest
	WIZ_CLIENT_ID: ${{ secrets.WIZ_CLIENT_ID }}
	WIZ_CLIENT_SECRET: ${{ secrets.WIZ_CLIENT_SECRET }}
	WIZ_POLICY: "Default vulnerabilities policy"
	steps:
	# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
	- name: Checkout
	uses: actions/checkout@v4

	- name: Build the latest Docker image
	run: docker build -t ${IMAGE_REPO}:${IMAGE_TAG} .

	- name: Download Wiz CLI
	run: \|-
	docker pull wiziocli.azurecr.io/wizcli:latest-amd64
	docker tag wiziocli.azurecr.io/wizcli:latest-amd64 wizcli:latest

	- name: Authenticate to Wiz
	run: docker run --rm -v $(pwd):/cli wizcli:latest auth --id "$WIZ_CLIENT_ID" --secret "$WIZ_CLIENT_SECRET"

	- name: Run Wiz CLI image scan
	id: scan
	run: docker run --rm --security-opt apparmor:unconfined --cap-add SYS_ADMIN -v /var/lib/docker:/var/lib/docker -v $(pwd):/cli/ -v /var/run/docker.sock:/var/run/docker.sock wizcli:latest docker scan -i ${IMAGE_REPO}:${IMAGE_TAG} --policy "$WIZ_POLICY" --tag github_action_run_id=${{ github.run_id }} --policy-hits-only --driver mountWithLayers --dockerfile "./Dockerfile" --output wiz-output.json,sarif,true

	continue-on-error: true

	- name: Upload SARIF file
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: wiz-output.json
	category: wiz

	- name: Login to DockerHub
	uses: docker/login-action@v3
	with:
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_TOKEN }}

	- name: Push the latest Docker image
	run: docker push ${IMAGE_REPO}:${IMAGE_TAG}

	- name: Run Wiz CLI image tag
	run: docker run --rm -v $(pwd):/cli/ -v /var/run/docker.sock:/var/run/docker.sock wizcli:latest docker tag -i ${IMAGE_REPO}:${IMAGE_TAG}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix #24

Workflow file

fix #24

Jobs

Run details

Workflow file for this run