From af6ea110798b0e19c6d4aaf102aa4268154524b3 Mon Sep 17 00:00:00 2001 From: nessi Date: Sat, 14 Feb 2026 19:32:50 +0100 Subject: [PATCH] Refactor Docker Scout integration in CVE scan workflow Simplified the Docker Scout configuration logic by removing unnecessary checks and utilizing Docker's standard auth configuration. Updated environment variable usage and volume mounts to streamline the setup process for scanning containers. --- .../container-cve-scan-development.yml | 34 +++++++------------ 1 file changed, 12 insertions(+), 22 deletions(-) diff --git a/.github/workflows/container-cve-scan-development.yml b/.github/workflows/container-cve-scan-development.yml index 1874fb4..bf6bdff 100644 --- a/.github/workflows/container-cve-scan-development.yml +++ b/.github/workflows/container-cve-scan-development.yml @@ -24,20 +24,12 @@ jobs: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Docker Scout login bootstrap - continue-on-error: true + - name: Prepare Docker auth config for Scout container + if: ${{ secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }} run: | - if [ -z "${{ secrets.DOCKERHUB_USERNAME }}" ] || [ -z "${{ secrets.DOCKERHUB_TOKEN }}" ]; then - echo "Docker Scout login skipped: DOCKERHUB_USERNAME/DOCKERHUB_TOKEN not set." - exit 0 - fi mkdir -p "$RUNNER_TEMP/scout-docker-config" - printf '%s' "${{ secrets.DOCKERHUB_TOKEN }}" | docker run --rm -i \ - -e DOCKER_CONFIG=/home/scout/.docker \ - -v "$RUNNER_TEMP/scout-docker-config:/home/scout/.docker" \ - docker/scout-cli:latest login \ - --username "${{ secrets.DOCKERHUB_USERNAME }}" \ - --password-stdin || true + cp "$HOME/.docker/config.json" "$RUNNER_TEMP/scout-docker-config/config.json" + chmod 600 "$RUNNER_TEMP/scout-docker-config/config.json" - name: Build backend image (local) uses: docker/build-push-action@v6 @@ -114,13 +106,12 @@ jobs: echo "Docker Hub Scout scan skipped: DOCKERHUB_USERNAME/DOCKERHUB_TOKEN not set." > scout-backend.txt exit 0 fi - if [ ! -f "$HOME/.docker/config.json" ]; then - echo "Runner Docker config not found; continuing with Scout login cache if present." > scout-backend.txt - fi docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ - -v "$RUNNER_TEMP/scout-docker-config:/home/scout/.docker" \ - -e DOCKER_CONFIG=/home/scout/.docker \ + -v "$RUNNER_TEMP/scout-docker-config:/root/.docker:ro" \ + -e DOCKER_CONFIG=/root/.docker \ + -e DOCKER_SCOUT_HUB_USER="${{ secrets.DOCKERHUB_USERNAME }}" \ + -e DOCKER_SCOUT_HUB_PASSWORD="${{ secrets.DOCKERHUB_TOKEN }}" \ docker/scout-cli:latest cves nexapg-backend:dev-scan \ --only-severity critical,high,medium,low > scout-backend.txt 2>&1 || { echo "" >> scout-backend.txt @@ -134,13 +125,12 @@ jobs: echo "Docker Hub Scout scan skipped: DOCKERHUB_USERNAME/DOCKERHUB_TOKEN not set." > scout-frontend.txt exit 0 fi - if [ ! -f "$HOME/.docker/config.json" ]; then - echo "Runner Docker config not found; continuing with Scout login cache if present." > scout-frontend.txt - fi docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ - -v "$RUNNER_TEMP/scout-docker-config:/home/scout/.docker" \ - -e DOCKER_CONFIG=/home/scout/.docker \ + -v "$RUNNER_TEMP/scout-docker-config:/root/.docker:ro" \ + -e DOCKER_CONFIG=/root/.docker \ + -e DOCKER_SCOUT_HUB_USER="${{ secrets.DOCKERHUB_USERNAME }}" \ + -e DOCKER_SCOUT_HUB_PASSWORD="${{ secrets.DOCKERHUB_TOKEN }}" \ docker/scout-cli:latest cves nexapg-frontend:dev-scan \ --only-severity critical,high,medium,low > scout-frontend.txt 2>&1 || { echo "" >> scout-frontend.txt