Files
rustfs/scripts/security/check_container_scan_workflow.sh
2026-06-12 13:11:59 +08:00

28 lines
1.2 KiB
Bash
Executable File

#!/usr/bin/env bash
set -euo pipefail
workflow=".github/workflows/docker.yml"
require_literal() {
local needle="$1"
local description="$2"
if ! grep -Fq "$needle" "$workflow"; then
echo "missing container scan workflow contract: $description" >&2
exit 1
fi
}
require_literal "scan-docker-image:" "scan job"
require_literal "needs: [ build-check, build-docker ]" "build dependency"
require_literal "needs.build-check.outputs.should_build == 'true' && needs.build-check.outputs.should_push == 'true'" "release image push guard"
require_literal "docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9" "pinned GHCR login action"
require_literal "aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25" "pinned Trivy action"
require_literal 'image-ref: ${{ env.REGISTRY_GHCR }}:${{ needs.build-check.outputs.version }}${{ matrix.suffix }}' "GHCR image reference"
require_literal "format: sarif" "SARIF report format"
require_literal 'exit-code: "0"' "report-only failure policy"
require_literal "actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a" "pinned report upload action"
require_literal "container-image-scan-" "scan report artifact name"
echo "Container scan workflow contract ok."