Conversation
vipin230
requested review from
brianLoomis and
sean-sype-simmons
as code owners
Signed-off-by: Vipin Yadav <vipin.yadav@progress.com>
vipin230
force-pushed
the
wiz
branch
2 times, most recently
from
17926a5 to
43c6b83
Compare
Signed-off-by: Vipin Yadav <vipin.yadav@progress.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This pull request introduces a reusable workflow for building Docker images and integrates it into the main CI pipeline, enabling downstream security scans (Grype and Wiz) to consume a prebuilt Docker image artifact. It also adds a new Wiz CLI security scan workflow and updates the Grype workflow to optionally use prebuilt images, streamlining the image build and scan process for improved efficiency and consistency.
Key changes include:
Docker Image Build and Artifact Handling
.github/workflows/build-docker-image.yml, a reusable workflow that builds Docker images using one of three strategies (custom script, Makefile target, or standard Docker build), saves the image(s) as a tarball, and uploads it as an artifact for downstream jobs..github/workflows/ci-main-pull-request.ymlto use the newbuild-docker-imageworkflow when Grype or Wiz scans are enabled, and to pass the resulting artifact and image names to downstream scan jobs.Security Scans Integration
.github/workflows/wiz.yml, a reusable workflow for running Wiz CLI container image scans. It supports scanning prebuilt Docker images, failing the build on policy or severity violations, and uploading scan results as artifacts..github/workflows/grype.ymlto accept prebuilt Docker image artifacts and image names as inputs, allowing it to skip the build step if provided. The workflow now supports loading and scanning prebuilt images, improving scan performance and reliability. [1] [2] [3] [4].github/workflows/ci-main-pull-request.ymlto add new inputs for enabling/disabling Wiz scans and controlling failure behavior based on Wiz scan results.These changes make the CI pipeline more modular and efficient by decoupling image building from scanning, and by supporting both Grype and Wiz security scans using a common prebuilt Docker image artifact.
Related Issue
https://progresssoftware.atlassian.net/browse/CHEF-32378
Types of changes
Checklist:
Gemfile.lockhas changed, I have used--conservativeto do it and included the full output in the Description above.