Multi-Architecture Image Build¶
This workflow is used to build container images that are compatible with multiple architectures.
Supports:
- linux/amd64
- linux/arm/v6
- linux/arm/v7
- linux/arm64
Vulnerability Scanning¶
Two types of vulnerability scan are available.
Both are enabled by default.
Static Code Analysis of Dockerfile¶
Scanning of Dockerfiles for best practice security is done by checkov.
This can be disabled with the input parameter:
scan_dockerfile: false.
CVE Scanning of Built Image¶
The built image is scanned for CVEs present in the installed software by Grype via Anchore Scan Action.
This can be disabled with the input parameter:
scan_image: false.
Inputs¶
| INPUT | TYPE | REQUIRED | DEFAULT | DESCRIPTION |
|---|---|---|---|---|
| build_target | string | false | The target to built to (default to end of the Dockerfile). |
|
| cache | boolean | false | true |
Use GHCR caching. Default true. Set this false if registry is not ghcr.io. |
| context | string | false | "." |
Root directory to start the build from. |
| dockerfile | string | false | "Dockerfile" |
Name of dockerfile, relative to context dir. |
| environment | string | false | "${{ github.ref_name }}" |
The environment to use for variables. |
| extra_build_args | string | false | Space separated list of extra build args to use for the image. |
|
| image_name | string | false | Name of image, without tags. Not required if image_tags specified. |
|
| image_tags | string | false | Default=the images are automatically tagged. Override tags with space separated list. |
|
| push | boolean | false | true |
Override prevent pushing the image. |
| registry | string | false | "ghcr.io" |
Override GHCR to use an external reg. |
| scan_dockerfile | boolean | false | true |
Enable dockerfile vulnerability scanning, prior to build. |
| scan_image | boolean | false | true |
Enable image vulnerability scan, after build. |
| skip_cve | string | false | "CKV_DOCKER_8,CKV_DOCKER_2,CKV_DOCKER_3,CKV_DOCKER_5" |
Skip specific CVE from checkcov (override rules). |
Secrets¶
No secrets.
Outputs¶
| OUTPUT | VALUE | DESCRIPTION |
|---|---|---|
| image_name | "${{ jobs.build-images.outputs.image_name }}" |
The final full image reference. |
| image_tag | "${{ jobs.build-images.outputs.image_tag }}" |
The final image tag. |
Example Usage¶
test-img-build:
uses: hotosm/gh-workflows/.github/workflows/image_build_multi.yml@1.3.3
with:
image_name: ghcr.io/${{ github.repository }}