From 914de7b79df7119ebbc6115e1bad469cbeebd67f Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 30 Jan 2026 12:12:39 +0000 Subject: [PATCH 01/10] add docker scan --- .github/workflows/quality-checks.yml | 83 ++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 25a32cc..e655618 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -23,9 +23,21 @@ on: type: boolean description: Toggle to reinstall poetry on top of python version installed by asdf. default: false + run_docker_scan: + type: boolean + description: Toggle to run docker vulnerability scan on this repository. + default: false + required: false + docker_images: + type: string + description: JSON array of docker image references to scan when docker scanning is enabled. + default: "[]" + required: false jobs: quality_checks: + outputs: + docker_images: ${{ steps.normalized_docker_images.outputs.images }} runs-on: ubuntu-22.04 steps: - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 @@ -305,6 +317,35 @@ jobs: output: "dependency_results_java.txt" exit-code: "1" trivy-config: trivy.yaml + - name: Build docker images + if: ${{ inputs.run_docker_scan == true }} + run: | + make docker-build + + - name: Determine docker images to scan + id: normalized_docker_images + run: | + if [ "${{ inputs.run_docker_scan }}" != "true" ]; then + echo "Docker scanning disabled; emitting empty image list." + echo 'images=[]' >> "$GITHUB_OUTPUT" + exit 0 + fi + + INPUT='${{ inputs.docker_images }}' + DEFAULT_IMAGE="docker.io/my-organization/my-app:${GITHUB_SHA}" + + if [ -z "$INPUT" ]; then + INPUT="[]" + fi + + if [ "$INPUT" = "[]" ]; then + echo "No docker images provided; defaulting to $DEFAULT_IMAGE" + echo "images=[\"$DEFAULT_IMAGE\"]" >> "$GITHUB_OUTPUT" + else + echo "Using provided docker images: $INPUT" + echo "images=$INPUT" >> "$GITHUB_OUTPUT" + fi + - name: Show vulnerability output if: always() run: | @@ -344,6 +385,48 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + docker_vulnerability_scan: + runs-on: ubuntu-22.04 + needs: quality_checks + if: ${{ inputs.run_docker_scan == true }} + strategy: + matrix: + docker_image: ${{ fromJson(needs.quality_checks.outputs.docker_images) }} + steps: + - name: Checkout code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + ref: ${{ env.BRANCH_NAME }} + fetch-depth: 0 + + - name: Prepare trivy config + run: | + cat <<'EOF' > trivy.yaml + pkg: + include-dev-deps: true + EOF + + - name: Check docker vulnerabilities + uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 + with: + scan-type: "image" + image-ref: ${{ matrix.docker_image }} + severity: "CRITICAL,HIGH" + scanners: "vuln" + vuln-type: "os,library" + format: "table" + output: "dependency_results_docker.txt" + exit-code: "1" + trivy-config: trivy.yaml + + - name: Show docker vulnerability output + if: always() + run: | + echo "Scan output for ${{ matrix.docker_image }}" + if [ -f dependency_results_docker.txt ]; then + cat dependency_results_docker.txt + fi + # CloudFormation validation (runs only if templates exist, ~3-5 minutes) IaC-validation: runs-on: ubuntu-22.04 From 6941697315ad4c494db81baaada44dfd6ce0cebc Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 30 Jan 2026 12:18:37 +0000 Subject: [PATCH 02/10] remove default image --- .github/workflows/quality-checks.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index e655618..a186ec1 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -332,15 +332,15 @@ jobs: fi INPUT='${{ inputs.docker_images }}' - DEFAULT_IMAGE="docker.io/my-organization/my-app:${GITHUB_SHA}" + if [ -z "$INPUT" ]; then INPUT="[]" fi if [ "$INPUT" = "[]" ]; then - echo "No docker images provided; defaulting to $DEFAULT_IMAGE" - echo "images=[\"$DEFAULT_IMAGE\"]" >> "$GITHUB_OUTPUT" + echo "No docker images provided" + exit 1 else echo "Using provided docker images: $INPUT" echo "images=$INPUT" >> "$GITHUB_OUTPUT" From 614021522835f19c2169131c3848fb17873593dd Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 30 Jan 2026 12:30:51 +0000 Subject: [PATCH 03/10] move stuff around --- .github/workflows/quality-checks.yml | 56 ++++++++++++++-------------- README.md | 24 +++++++++++- 2 files changed, 50 insertions(+), 30 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index a186ec1..acd87dc 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -249,6 +249,33 @@ jobs: - name: Run unit tests run: make test + - name: Build docker images + if: ${{ inputs.run_docker_scan == true }} + run: | + make docker-build + - name: Determine docker images to scan + id: normalized_docker_images + run: | + if [ "${{ inputs.run_docker_scan }}" != "true" ]; then + echo "Docker scanning disabled; emitting empty image list." + echo 'images=[]' >> "$GITHUB_OUTPUT" + exit 0 + fi + + INPUT='${{ inputs.docker_images }}' + + + if [ -z "$INPUT" ]; then + INPUT="[]" + fi + + if [ "$INPUT" = "[]" ]; then + echo "No docker images provided" + exit 1 + else + echo "Using provided docker images: $INPUT" + echo "images=$INPUT" >> "$GITHUB_OUTPUT" + fi - name: Generate SBOM uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 @@ -317,35 +344,6 @@ jobs: output: "dependency_results_java.txt" exit-code: "1" trivy-config: trivy.yaml - - name: Build docker images - if: ${{ inputs.run_docker_scan == true }} - run: | - make docker-build - - - name: Determine docker images to scan - id: normalized_docker_images - run: | - if [ "${{ inputs.run_docker_scan }}" != "true" ]; then - echo "Docker scanning disabled; emitting empty image list." - echo 'images=[]' >> "$GITHUB_OUTPUT" - exit 0 - fi - - INPUT='${{ inputs.docker_images }}' - - - if [ -z "$INPUT" ]; then - INPUT="[]" - fi - - if [ "$INPUT" = "[]" ]; then - echo "No docker images provided" - exit 1 - else - echo "Using provided docker images: $INPUT" - echo "images=$INPUT" >> "$GITHUB_OUTPUT" - fi - - name: Show vulnerability output if: always() run: | diff --git a/README.md b/README.md index bd91fa5..3af29ad 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,24 @@ A collection of common workflows used by other EPS repositories The workflows that are available to use are +## Adding exclusions to trivy scanning +The quality checks job uses trivy to scan for vulnerabilities. +There may be times you want to add an exclusion for a known vulnerability that we are happy to accept +To do this, in the calling repo, add trivy.yaml with this content +``` +ignorefile: ".trivyignore.yaml" +``` +and add a .trivyignore.yaml with this content +``` +vulnerabilities: + - id: CVE-2026-24842 + paths: + - "package-lock.json" + statement: downstream dependency for tar - waiting for new npm release + expired_at: 2026-06-01 +``` +See https://trivy.dev/docs/latest/configuration/filtering/#trivyignoreyaml for more details + ## combine dependabot prs This workflow can be called to combine multiple open Dependabot PRs into a single PR. @@ -96,10 +114,12 @@ jobs: This workflow runs common quality checks. To use this, you must have the following Makefile targets defined - install -- check-licences - lint - test +- install-node (only for cdk projects) +- compile (only for cdk projects) - cdk-synth (only for cdk projects) +- docker-build (only if run_docker_scan is set to true) #### Inputs @@ -107,6 +127,8 @@ To use this, you must have the following Makefile targets defined - `run_sonar`: Whether to run sonar checks or not. - `asdfVersion`: Override the version of asdf to install. - `reinstall_poetry`: If you are using this from a primarily python based project, you should set this to true to force a poetry reinstallation after python is installed +- `run_docker_scan`: whether to run a scan of docker images +- `docker_images`: array of docker images to scan. These must match images produced by make docker-build #### Secret Inputs - `SONAR_TOKEN`: Token used to authenticate to sonar From 5669f276b810523686ae56c5397bc574633d83a1 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 30 Jan 2026 12:58:46 +0000 Subject: [PATCH 04/10] accept csv --- .github/workflows/quality-checks.yml | 154 +++++++++++++++++++++------ 1 file changed, 120 insertions(+), 34 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index acd87dc..52e7d1c 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -30,14 +30,12 @@ on: required: false docker_images: type: string - description: JSON array of docker image references to scan when docker scanning is enabled. + description: comma separated list of docker image references to scan when docker scanning is enabled. default: "[]" required: false jobs: quality_checks: - outputs: - docker_images: ${{ steps.normalized_docker_images.outputs.images }} runs-on: ubuntu-22.04 steps: - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 @@ -249,34 +247,6 @@ jobs: - name: Run unit tests run: make test - - name: Build docker images - if: ${{ inputs.run_docker_scan == true }} - run: | - make docker-build - - name: Determine docker images to scan - id: normalized_docker_images - run: | - if [ "${{ inputs.run_docker_scan }}" != "true" ]; then - echo "Docker scanning disabled; emitting empty image list." - echo 'images=[]' >> "$GITHUB_OUTPUT" - exit 0 - fi - - INPUT='${{ inputs.docker_images }}' - - - if [ -z "$INPUT" ]; then - INPUT="[]" - fi - - if [ "$INPUT" = "[]" ]; then - echo "No docker images provided" - exit 1 - else - echo "Using provided docker images: $INPUT" - echo "images=$INPUT" >> "$GITHUB_OUTPUT" - fi - - name: Generate SBOM uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 with: @@ -383,13 +353,130 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + docker_image_build: + outputs: + docker_images: ${{ steps.normalized_docker_images.outputs.images }} + runs-on: ubuntu-22.04 + steps: + - name: Checkout code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + with: + ref: ${{ env.BRANCH_NAME }} + fetch-depth: 0 + # using git commit sha for version of action to ensure we have stable version + - name: Install asdf + uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 + with: + asdf_version: ${{ inputs.asdfVersion }} + + - name: Cache asdf + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb + with: + path: | + ~/.asdf + key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}-${{ inputs.asdfVersion }} + restore-keys: | + ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}-${{ inputs.asdfVersion }} + + - name: Install asdf dependencies in .tool-versions + uses: asdf-vm/actions/install@b7bcd026f18772e44fe1026d729e1611cc435d47 + with: + asdf_version: ${{ inputs.asdfVersion }} + env: + PYTHON_CONFIGURE_OPTS: --enable-shared + + - name: Reinstall poetry + if: ${{ inputs.reinstall_poetry }} + run: | + poetry_tool_version=$(cat .tool-versions | grep poetry) + poetry_version=${poetry_tool_version//"poetry "} + asdf uninstall poetry "$poetry_version" + asdf install poetry + + - name: Setting up .npmrc + env: + NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc + echo "@nhsdigital:registry=https://npm.pkg.github.com" >> ~/.npmrc + + - name: Cache npm dependencies + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb + with: + path: ./node_modules + key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} + restore-keys: | + ${{ runner.os }}-node- + + - name: make install + run: | + make install + - name: Build docker images + if: ${{ inputs.run_docker_scan == true }} + run: | + make docker-build + - name: Determine docker images to scan + id: normalized_docker_images + run: | + if [ "${{ inputs.run_docker_scan }}" != "true" ]; then + echo "Docker scanning disabled; emitting empty image list." + echo 'images=[]' >> "$GITHUB_OUTPUT" + exit 0 + fi + + INPUT='${{ inputs.docker_images }}' + + + if [ -z "$INPUT" ]; then + INPUT="[]" + fi + + normalize_to_json_array() { + local raw="$1" + + # If the input already looks like JSON, return as-is + if echo "$raw" | grep -q '^[[:space:]]*\['; then + echo "$raw" + return + fi + + local json="[" + local first=true + IFS=',' read -ra ITEMS <<< "$raw" + for item in "${ITEMS[@]}"; do + # Trim whitespace around each image reference + item=$(echo "$item" | xargs) + if [ -z "$item" ]; then + continue + fi + if [ "$first" = true ]; then + first=false + else + json+=", " + fi + json+="\"$item\"" + done + json+="]" + echo "$json" + } + + NORMALIZED=$(normalize_to_json_array "$INPUT") + + if [ "$NORMALIZED" = "[]" ]; then + echo "No docker images provided" + exit 1 + fi + + echo "Using provided docker images: $NORMALIZED" + echo "images=$NORMALIZED" >> "$GITHUB_OUTPUT" + docker_vulnerability_scan: runs-on: ubuntu-22.04 - needs: quality_checks + needs: docker_image_build if: ${{ inputs.run_docker_scan == true }} strategy: matrix: - docker_image: ${{ fromJson(needs.quality_checks.outputs.docker_images) }} + docker_image: ${{ fromJson(needs.docker_image_build.outputs.docker_images) }} steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd @@ -425,7 +512,6 @@ jobs: cat dependency_results_docker.txt fi - # CloudFormation validation (runs only if templates exist, ~3-5 minutes) IaC-validation: runs-on: ubuntu-22.04 steps: From 4f6c28b5c70555ae55e6aecf3aa311053bfda9bb Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 30 Jan 2026 13:03:39 +0000 Subject: [PATCH 05/10] fix it --- .github/workflows/quality-checks.yml | 110 +++++++++++++-------------- 1 file changed, 55 insertions(+), 55 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 52e7d1c..7677a51 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -353,7 +353,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - docker_image_build: + get_docker_images_to_scan: outputs: docker_images: ${{ steps.normalized_docker_images.outputs.images }} runs-on: ubuntu-22.04 @@ -363,58 +363,6 @@ jobs: with: ref: ${{ env.BRANCH_NAME }} fetch-depth: 0 - # using git commit sha for version of action to ensure we have stable version - - name: Install asdf - uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 - with: - asdf_version: ${{ inputs.asdfVersion }} - - - name: Cache asdf - uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb - with: - path: | - ~/.asdf - key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}-${{ inputs.asdfVersion }} - restore-keys: | - ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}-${{ inputs.asdfVersion }} - - - name: Install asdf dependencies in .tool-versions - uses: asdf-vm/actions/install@b7bcd026f18772e44fe1026d729e1611cc435d47 - with: - asdf_version: ${{ inputs.asdfVersion }} - env: - PYTHON_CONFIGURE_OPTS: --enable-shared - - - name: Reinstall poetry - if: ${{ inputs.reinstall_poetry }} - run: | - poetry_tool_version=$(cat .tool-versions | grep poetry) - poetry_version=${poetry_tool_version//"poetry "} - asdf uninstall poetry "$poetry_version" - asdf install poetry - - - name: Setting up .npmrc - env: - NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc - echo "@nhsdigital:registry=https://npm.pkg.github.com" >> ~/.npmrc - - - name: Cache npm dependencies - uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb - with: - path: ./node_modules - key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} - restore-keys: | - ${{ runner.os }}-node- - - - name: make install - run: | - make install - - name: Build docker images - if: ${{ inputs.run_docker_scan == true }} - run: | - make docker-build - name: Determine docker images to scan id: normalized_docker_images run: | @@ -472,17 +420,65 @@ jobs: docker_vulnerability_scan: runs-on: ubuntu-22.04 - needs: docker_image_build + needs: get_docker_images_to_scan if: ${{ inputs.run_docker_scan == true }} strategy: matrix: - docker_image: ${{ fromJson(needs.docker_image_build.outputs.docker_images) }} + docker_image: ${{ fromJson(needs.get_docker_images_to_scan.outputs.docker_images) }} steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd with: ref: ${{ env.BRANCH_NAME }} fetch-depth: 0 + # using git commit sha for version of action to ensure we have stable version + - name: Install asdf + uses: asdf-vm/actions/setup@b7bcd026f18772e44fe1026d729e1611cc435d47 + with: + asdf_version: ${{ inputs.asdfVersion }} + + - name: Cache asdf + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb + with: + path: | + ~/.asdf + key: ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}-${{ inputs.asdfVersion }} + restore-keys: | + ${{ runner.os }}-asdf-${{ hashFiles('**/.tool-versions') }}-${{ inputs.asdfVersion }} + + - name: Install asdf dependencies in .tool-versions + uses: asdf-vm/actions/install@b7bcd026f18772e44fe1026d729e1611cc435d47 + with: + asdf_version: ${{ inputs.asdfVersion }} + env: + PYTHON_CONFIGURE_OPTS: --enable-shared + + - name: Reinstall poetry + if: ${{ inputs.reinstall_poetry }} + run: | + poetry_tool_version=$(cat .tool-versions | grep poetry) + poetry_version=${poetry_tool_version//"poetry "} + asdf uninstall poetry "$poetry_version" + asdf install poetry + + - name: Setting up .npmrc + env: + NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + echo "//npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc + echo "@nhsdigital:registry=https://npm.pkg.github.com" >> ~/.npmrc + + - name: Cache npm dependencies + uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb + with: + path: ./node_modules + key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }} + restore-keys: | + ${{ runner.os }}-node- + + - name: make install + run: | + make install - name: Prepare trivy config run: | @@ -490,6 +486,10 @@ jobs: pkg: include-dev-deps: true EOF + - name: Build docker images + if: ${{ inputs.run_docker_scan == true }} + run: | + make docker-build - name: Check docker vulnerabilities uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 From 1273e0c5d9b2bf1d87a033880430df90064f579e Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 30 Jan 2026 13:16:12 +0000 Subject: [PATCH 06/10] add trivy ignore --- .trivyignore.yaml | 6 ++++++ trivy.yaml | 1 + 2 files changed, 7 insertions(+) create mode 100644 .trivyignore.yaml create mode 100644 trivy.yaml diff --git a/.trivyignore.yaml b/.trivyignore.yaml new file mode 100644 index 0000000..e9e00f0 --- /dev/null +++ b/.trivyignore.yaml @@ -0,0 +1,6 @@ +vulnerabilities: + - id: CVE-2026-24842 + paths: + - "package-lock.json" + statement: downstream dependency for tar - waiting for new npm release + expired_at: 2026-06-01 diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 0000000..eb24337 --- /dev/null +++ b/trivy.yaml @@ -0,0 +1 @@ +ignorefile: ".trivyignore.yaml" From f3481fb8a17955c54a6a7ef8344b7a16e3c9b5bb Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 30 Jan 2026 13:25:22 +0000 Subject: [PATCH 07/10] do not overwrite trivy config --- .github/workflows/quality-checks.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 7677a51..9466f52 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -480,12 +480,6 @@ jobs: run: | make install - - name: Prepare trivy config - run: | - cat <<'EOF' > trivy.yaml - pkg: - include-dev-deps: true - EOF - name: Build docker images if: ${{ inputs.run_docker_scan == true }} run: | From a5f3cf6eae512076ee4ef11f2c74a833b1a661a1 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 30 Jan 2026 13:30:34 +0000 Subject: [PATCH 08/10] use env --- .github/workflows/quality-checks.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index 9466f52..bffabca 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -365,6 +365,8 @@ jobs: fetch-depth: 0 - name: Determine docker images to scan id: normalized_docker_images + env: + DOCKER_IMAGES: ${{ inputs.docker_images }} run: | if [ "${{ inputs.run_docker_scan }}" != "true" ]; then echo "Docker scanning disabled; emitting empty image list." @@ -372,8 +374,7 @@ jobs: exit 0 fi - INPUT='${{ inputs.docker_images }}' - + INPUT="${DOCKER_IMAGES}" if [ -z "$INPUT" ]; then INPUT="[]" From ff4aabe6a75a70b4f9b44fabfed77f44e15b5d40 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 30 Jan 2026 13:34:29 +0000 Subject: [PATCH 09/10] correct default --- .github/workflows/quality-checks.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/quality-checks.yml b/.github/workflows/quality-checks.yml index bffabca..5f78ce2 100644 --- a/.github/workflows/quality-checks.yml +++ b/.github/workflows/quality-checks.yml @@ -31,7 +31,7 @@ on: docker_images: type: string description: comma separated list of docker image references to scan when docker scanning is enabled. - default: "[]" + default: "" required: false jobs: From 2df4ae6bfc26c8b86ee8ce1d86778392dbb72e27 Mon Sep 17 00:00:00 2001 From: Anthony Brown Date: Fri, 30 Jan 2026 13:35:38 +0000 Subject: [PATCH 10/10] correct readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3af29ad..3d3eae9 100644 --- a/README.md +++ b/README.md @@ -128,7 +128,7 @@ To use this, you must have the following Makefile targets defined - `asdfVersion`: Override the version of asdf to install. - `reinstall_poetry`: If you are using this from a primarily python based project, you should set this to true to force a poetry reinstallation after python is installed - `run_docker_scan`: whether to run a scan of docker images -- `docker_images`: array of docker images to scan. These must match images produced by make docker-build +- `docker_images`: csv list of docker images to scan. These must match images produced by make docker-build #### Secret Inputs - `SONAR_TOKEN`: Token used to authenticate to sonar