Security Scan #186

Workflow file for this run

.github/workflows/security.yml at 2bd79dc

	name: Security Scan

	on:
	workflow_call:
	secrets:
	DOCKERHUB_USERNAME:
	required: true
	DOCKERHUB_TOKEN:
	required: true
	schedule:
	# Run daily at 2 AM UTC
	- cron: "0 2 * * *"

	permissions:
	contents: read

	jobs:
	filesystem-scan:
	name: Grype Filesystem Scan
	runs-on: ubuntu-latest
	timeout-minutes: 10

	steps:
	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

	- name: Run Grype vulnerability scanner in fs mode
	id: grype-scan
	uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
	with:
	path: "."
	output-format: "table"
	severity-cutoff: "medium"
	only-fixed: true
	fail-build: true

	image-scan:
	name: Grype Image Scan
	runs-on: ubuntu-latest
	timeout-minutes: 15

	steps:
	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

	- name: Log in to DHI registry
	uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
	with:
	registry: dhi.io
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Build Docker image
	uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
	with:
	context: .
	load: true
	push: false
	cache-from: type=gha
	cache-to: type=gha,mode=max
	tags: mcp-template-py:latest

	- name: Run Grype vulnerability scanner on image
	id: grype-scan
	uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
	with:
	image: "mcp-template-py:latest"
	output-format: "table"
	severity-cutoff: "medium"
	only-fixed: true
	fail-build: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security Scan #186

Workflow file

Security Scan #186

Uh oh!

Workflow file for this run