security: add image-scan

Signed-off-by: Christian Kotzbauer <christian.kotzbauer@gmail.com>
ckotzbauer · Dec 19, 2020 · 95278b8 · 95278b8
1 parent 462a4d6
commit 95278b8
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -12,10 +12,22 @@ jobs:
       - name: Install Go
         uses: actions/setup-go@v2
         with:
-          go-version: '1.15.2'
+          go-version: '1.15.6'
       - name: Checkout
         uses: actions/checkout@v2
         with:
           fetch-depth: "0"
       - name: Build
         run: make build-cross
+      - name: Build image
+        uses: elgohr/Publish-Docker-Github-Action@master
+        with:
+          name: ckotzbauer/k8spolicy
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+          tags: "latest"
+          no_push: true
+      - name: Container scan
+        uses: azure/container-scan@v0
+        with:
+          image-name: ckotzbauer/k8spolicy
diff --git a/Dockerfile b/Dockerfile
@@ -7,7 +7,6 @@ RUN go build -ldflags '-w -s' -o /k8spolicy
 
 
 FROM debian:buster-slim
-COPY --from=builder /k8spolicy /usr/local/bin/k8spolicy
 
 ENV CONFTEST_VERSION 0.20.0
 ENV K8SPOLICY_SKIP_POLICY_DOWNLOAD true
@@ -43,5 +42,6 @@ RUN apt-get update && \
     adduser --uid 1000 --gid 1000 --shell /bin/sh --disabled-password --gecos "" k8spolicy && \
     chown -R 1000:1000 /tmp/k8spolicy
 
+COPY --from=builder /k8spolicy /usr/local/bin/k8spolicy
 USER k8spolicy
 ENTRYPOINT ["/usr/local/bin/k8spolicy"]