How to scan docker image between it's built and it's pushed to registry? #4086
-
A usual pipeline looks like this:
How to do the scanning step with the goreleaser? Is there a way to include custom script between build and push steps? |
Beta Was this translation helpful? Give feedback.
Answered by
caarlos0
Jun 12, 2023
Replies: 1 comment 3 replies
-
there is no way of doing that while releasing... you can however build snapshots and run trivvy after goreleaser ran, and fail the build if there are errors. |
Beta Was this translation helpful? Give feedback.
3 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
what should happen to the rest of the release process if scanning fails? do we only skip pushing the docker images? what about the other artifacts?
if you are releasing, you should probably have tested beforehand if the image has issues or not anyway, and you'd still need to keep scanning the image afterwards due to possibly newly discovered issues in the base image or packages you use.
so... I don't believe this is something I'd want to implement, as it is confusing regarding what the behavior should be, and the benefit seems minimal.