playground/docker-claude
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(ci): generate SBOMs in scan job and attach attestations on push
Some checks failed
Build images / check-docker (push) Successful in 3s
Details
Build images / scan (push) Failing after 46s
Details
Build images / build-and-push (push) Has been skipped
Details

Browse source 
Scan job: run Trivy before the security gate to emit a CycloneDX SBOM
for each image (exit-code 0), then run the HIGH/CRITICAL gate as before.
SBOMs are uploaded as a pipeline artifact (90-day retention) with
if: always() so they're available even when the security gate fails.

Build job: add sbom: true and provenance: true to both build-push steps
so BuildKit attaches SBOM and provenance attestations to the image
manifest in the registry.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
docker-claude 2026-04-16 11:59:24 +02:00
parent 530def213b
commit e6b46087b3
1 changed files with 36 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

36
.forgejo/workflows/docker-build.yml
View file

@ -45,8 +45,19 @@ jobs:
steps: steps:
- name: Checkout the repo - name: Checkout the repo
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Build proxy image for scanning - name: Build proxy image for scanning
run: docker build -t scan/proxy:latest ./proxy run: docker build -t scan/proxy:latest ./proxy
- name: Generate proxy SBOM
uses: aquasecurity/trivy-action@v0.35.0
with:
image-ref: scan/proxy:latest
format: cyclonedx
output: sbom-proxy.cdx.json
exit-code: '0'
vuln-type: os,library
- name: Scan proxy image - name: Scan proxy image
uses: aquasecurity/trivy-action@v0.35.0 uses: aquasecurity/trivy-action@v0.35.0
with: with:
@ -56,8 +67,19 @@ jobs:
severity: HIGH,CRITICAL severity: HIGH,CRITICAL
ignore-unfixed: true ignore-unfixed: true
vuln-type: os,library vuln-type: os,library
- name: Build claude image for scanning - name: Build claude image for scanning
run: docker build -t scan/claude:latest ./claude run: docker build -t scan/claude:latest ./claude
- name: Generate claude SBOM
uses: aquasecurity/trivy-action@v0.35.0
with:
image-ref: scan/claude:latest
format: cyclonedx
output: sbom-claude.cdx.json
exit-code: '0'
vuln-type: os,library
- name: Scan claude image - name: Scan claude image
uses: aquasecurity/trivy-action@v0.35.0 uses: aquasecurity/trivy-action@v0.35.0
with: with:
@ -68,6 +90,16 @@ jobs:
ignore-unfixed: true ignore-unfixed: true
vuln-type: os,library vuln-type: os,library
- name: Upload SBOMs
if: always()
uses: actions/upload-artifact@v4
with:
name: sboms-${{ env.GITHUB_RUN_NUMBER }}
path: |
sbom-proxy.cdx.json
sbom-claude.cdx.json
retention-days: 90
build-and-push: build-and-push:
needs: scan needs: scan
runs-on: docker-cli runs-on: docker-cli
@ -96,6 +128,8 @@ jobs:
with: with:
context: proxy context: proxy
push: true push: true
sbom: true
provenance: true
platforms: linux/amd64, linux/arm64 platforms: linux/amd64, linux/arm64
tags: | tags: |
${{ vars.REGISTRY_URL }}/docker-public/${{ env.GITHUB_REPOSITORY }}-proxy:0.1.${{ env.GITHUB_RUN_NUMBER }} ${{ vars.REGISTRY_URL }}/docker-public/${{ env.GITHUB_REPOSITORY }}-proxy:0.1.${{ env.GITHUB_RUN_NUMBER }}
@ -105,6 +139,8 @@ jobs:
with: with:
context: claude context: claude
push: true push: true
sbom: true
provenance: true
platforms: linux/amd64, linux/arm64 platforms: linux/amd64, linux/arm64
tags: | tags: |
${{ vars.REGISTRY_URL }}/docker-public/${{ env.GITHUB_REPOSITORY }}-claude:0.1.${{ env.GITHUB_RUN_NUMBER }} ${{ vars.REGISTRY_URL }}/docker-public/${{ env.GITHUB_REPOSITORY }}-claude:0.1.${{ env.GITHUB_RUN_NUMBER }}