From 8062b04c8ef40aa5218a8134d259e295ddf189ab Mon Sep 17 00:00:00 2001 From: Gustavo Valverde Date: Thu, 19 Sep 2024 11:26:19 +0100 Subject: [PATCH] fix(scout): just run in the release PR --- .github/workflows/sub-build-docker-image.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sub-build-docker-image.yml b/.github/workflows/sub-build-docker-image.yml index 70a89a0d1cf..9b170cdbd80 100644 --- a/.github/workflows/sub-build-docker-image.yml +++ b/.github/workflows/sub-build-docker-image.yml @@ -184,6 +184,7 @@ jobs: # For the latest built image, display: # - the vulnerabilities (ignoring the base image, and only displaying vulnerabilities with a critical or high security severity) + # - the available recommendations # - compare it to the latest image indexed in Docker Hub (only displaying changed packages and vulnerabilities that already have a fix) # # Record the image to Scout environment based on the event type, for example: @@ -195,9 +196,11 @@ jobs: uses: docker/scout-action@v1.13.0 # We only run Docker Scout on the runtime target, as the other targets are not meant to be released # and are commonly used for testing, and thus are ephemeral. - if: ${{ inputs.dockerfile_target == 'runtime' }} + # TODO: Remove the `contains` check once we have a better way to determine if just new vulnerabilities are present. + # See: https://github.com/docker/scout-action/issues/56 + if: ${{ inputs.dockerfile_target == 'runtime' && contains(github.event.pull_request.title, 'Release v') }} with: - command: cves,compare + command: cves,recommendations,compare image: us-docker.pkg.dev/${{ vars.GCP_PROJECT }}/zebra/${{ inputs.image_name }}:${{ steps.meta.outputs.version }} to: zfnd/zebra:latest ignore-base: true