# This workflow uses actions that are not certified by GitHub. # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. name: Sysdig - Build, scan, push and upload sarif report on: push: branches: [ $default-branch, $protected-branches ] pull_request: branches: [ $default-branch ] schedule: - cron: $cron-weekly jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v1 - name: Build the Docker image run: docker build . --file Dockerfile --tag ${{ github.head_ref }}:latest - name: Sysdig Secure Inline Scan id: scan uses: sysdiglabs/scan-action@v3 with: # Tag of the image to analyse image-tag: "${{ github.head_ref }}:latest" # API token for Sysdig Scanning auth sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }} dockerfile-path: ./Dockerfile input-type: docker-daemon ignore-failed-scan: true - uses: github/codeql-action/upload-sarif@v1 if: always() with: sarif_file: ${{ steps.scan.outputs.sarifReport }