Skip to content
malware-scanner

Update malware.yml #2

Sign in to view logs

Update malware.yml

Update malware.yml #2

Workflow file for this run

.github/workflows/malware.yml at e4ae23f
name: malware-scanner
on:
push:
branches:
- "*"
pull_request:
branches:
- "*"
jobs:
malware-scanner:
runs-on: ubuntu-latest
env:
GROUP: demo
COMMIT: ${{ github.sha }}
REPO: infra-mon
DEEPFENCE_CONSOLE_URL: ${{secrets.DEEPFENCE_URL}}
DEEPFENCE_KEY: ${{secrets.DEEPFENCE_KEY}}
steps:
- uses: actions/checkout@v4
# Build docker image for service
- name: Build docker image
uses: docker/build-push-action@v4
with:
context: .
push: false
tags: ${{ env.GROUP }}/${{ env.REPO }}:${{ github.sha }}
# Run Deepfence Malware Scanner to check for malwares in image
- name: Run Deepfence Malware Scanner
env:
DEEPFENCE_CONSOLE_URL: ${{ env.DEEPFENCE_CONSOLE_URL }}
DEEPFENCE_KEY: ${{ env.DEEPFENCE_KEY }}
FULL_IMAGE_NAME: ${{ env.GROUP }}/${{ env.REPO }}:${{ github.sha }}
NGINX: "nginx:latest"
FAIL_MALWARE_COUNT: 100 # Fail build if number of malwares found is >= this number. Set -1 to pass regardless of malwares.
FAIL_HIGH_MALWARE_COUNT: 10 # Fail build if number of high malwares found is >= this number. Set -1 to pass regardless of high malwares.
FAIL_MEDIUM_MALWARE_COUNT: 20 # Fail build if number of medium malwares found is >= this number. Set -1 to pass regardless of medium malwares.
FAIL_LOW_MALWARE_COUNT: 50 # Fail build if number of low malwares found is >= this number. Set -1 to pass regardless of low malwares.
run: |
docker pull deepfenceio/deepfence_malware_scanner_ce:2.1.1
docker run -i --rm --net=host --privileged=true \
--cpus=0.3 \
-v /var/run/docker.sock:/var/run/docker.sock:rw deepfenceio/deepfence_malware_scanner_ce:2.1.1 \
-image-name "$FULL_IMAGE_NAME" \
-fail-on-count=$FAIL_MALWARE_COUNT \
-fail-on-high-count=$FAIL_HIGH_MALWARE_COUNT \
-fail-on-medium-count=$FAIL_MEDIUM_MALWARE_COUNT -\
fail-on-low-count=$FAIL_LOW_MALWARE_COUNT