From 842b9d9f9a0f99a0de08c5434e72280457165752 Mon Sep 17 00:00:00 2001
From: syji35 <>
Date: Thu, 23 Nov 2023 14:23:49 +0100
Subject: [PATCH] [CI] Ajout docker container scan

---
 .github/workflows/docker-publish.yml | 47 +++++++++++++++-------------
 1 file changed, 26 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 32543f5..a51ac45 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -7,7 +7,9 @@ name: Build Docker
 
 on:
   push:
-    branches: ["main", "develop"]
+    branches: ["main","develop"]
+    # Publish semver tags as releases.
+    tags: [ 'v*.*.*' ]
 
 
 env:
@@ -16,6 +18,9 @@ env:
   # github.repository as <account>/<repo>
   IMAGE_NAME: ${{ github.repository_owner	}}/lufi
 
+permissions:
+  contents: read
+  
 
 jobs:
   build:
@@ -32,28 +37,10 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v3
 
-
-      # Set up BuildKit Docker container builder to be able to build
-      # multi-platform images and export cache
-      # https://github.com/docker/setup-buildx-action
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
-
-      # Login against a Docker registry except on PR
-      # https://github.com/docker/login-action
-      - name: Log into registry ${{ env.REGISTRY }}
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
       # Extract metadata (tags, labels) for Docker
-      # https://github.com/docker/metadata-action
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
+        uses: docker/metadata-action@v5.0.0 # v5.0.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
@@ -64,12 +51,22 @@ jobs:
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{major}}
             type=sha
+      
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3.0.0 # v3.0.0
+      - name: Log to GHCR
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3.0.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
 
       # Build and push Docker image with Buildx (don't push on PR)
       # https://github.com/docker/build-push-action
       - name: Build and push Docker image
         id: build-and-push
-        uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
+        uses: docker/build-push-action@v5.0.0 # v5.0.0
         with:
           context: .
           platforms: linux/amd64
@@ -79,3 +76,11 @@ jobs:
           outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=Lufi Docker
           cache-from: type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache
           cache-to:   type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache,mode=max
+
+      - name: Scan for vulnerabilities
+        uses: crazy-max/ghaction-container-scan@v3
+        with:
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{github.ref_name}}
+          dockerfile: ./Dockerfile
+          annotations: true
+          severity: CRITICAL
\ No newline at end of file