action.yml

name: "dockle-action"
author: "Sean Erswell-Liljefelt"
description: "Lint & Best Practices for container images with integrations to Github UI"
branding:
  color: gray-dark
  icon: layers
inputs:
  image:
    description: "The image that should be analysed"
    required: true
  report-format:
    description: "Choose one of json or sarif for UI integration with GHAS"
    required: false
    default: "json"
  report-name:
    description: "Defaults to dockle-report and extension is added automatically."
    required: false
    default: "dockle-report"
  failure-threshold:
    description: "Level of findings that should trigger a job failure. Defaults to WARN. Options are INFO, WARN, FATAL"
    required: false
    default: "WARN"
  exit-code:
    description: "Should the job fail if findings at or higher than threshold? 0=No 1=Yes. Defaults to 1"
    required: false
    default: "1"
  dockle-version:
    description: "If you wish to specify a version of Dockle to use in the format 1.2.3 - otherwise uses latest"
    required: false
    default: "latest"
  accept-keywords:
    description: "Comma seperated list of acceptable keywords for credential checks."
    required: false
    default: ""
  accept-filenames:
    description: "Comma seperated list of acceptable file names for credential checks"
    required: false
    default: ""
  accept-extensions:
    description: "Comma seperated list of acceptable file extensions for credential checks"
    required: false
    default: ""
  timeout:
    description: "docker timeout. e.g) 5s, 5m..."
    required: false
    default: "10m"
  dockle-host:
    description: "Override the DOCKLE_HOST environment variable"
    required: false
    default: "unix:///var/run/docker.sock"
  token:
    description: "GitHub token used to query the GitHub API"
    required: false
    default: ${{ github.token }}
runs:
  using: "composite"
  steps:
    - name: Install Dockle
      shell: bash
      id: install
      env:
        DOCKLE_VERSION: ${{ inputs.dockle-version }}
        GH_TOKEN: ${{ github.token }}
      run: |
        if [ "$DOCKLE_VERSION" = "latest" ]; then
          export DOCKLE_VERSION=$(curl -H "Authorization: token ${GH_TOKEN}" --silent "https://api.github.com/repos/goodwithtech/dockle/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
        fi
        curl -L -o dockle.deb https://github.com/goodwithtech/dockle/releases/download/v${DOCKLE_VERSION}/dockle_${DOCKLE_VERSION}_Linux-64bit.deb && sudo dpkg -i dockle.deb && rm dockle.deb
    - name: Run Dockle
      shell: bash
      id: dockle
      env:
        IMAGE: ${{ inputs.image }}
        REPORT_FORMAT: ${{ inputs.report-format }}
        REPORT_NAME: ${{ inputs.report-name }}
        FAILURE_THRESHOLD: ${{ inputs.failure-threshold }}
        EXIT_CODE: ${{ inputs.exit-code }}
        DOCKLE_ACCEPT_KEYS: ${{ inputs.accept-keywords }}
        DOCKLE_ACCEPT_FILES: ${{ inputs.accept-filenames }}
        DOCKLE_ACCEPT_FILE_EXTENSIONS: ${{ inputs.accept-extensions }}
        DOCKLE_TIMEOUT: ${{ inputs.timeout }}
        DOCKLE_HOST: ${{ inputs.dockle-host }}
      run: |
        # Exit always with exit 0 to continue with the stdout version
        dockle -f "$REPORT_FORMAT" -o "$REPORT_NAME.$REPORT_FORMAT" --exit-code 0 --exit-level "$FAILURE_THRESHOLD" "$IMAGE"
        # Re-run for stdout report and break build if required
        dockle --exit-code $EXIT_CODE --exit-level "$FAILURE_THRESHOLD" "$IMAGE"