name: 'API: Container Checks' on: push: branches: - 'master' - 'v5.*' paths: - 'api/**' - '.github/workflows/api-container-checks.yml' pull_request: branches: - 'master' - 'v5.*' paths: - 'api/**' - '.github/workflows/api-container-checks.yml' concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true env: API_WORKING_DIR: ./api IMAGE_NAME: prowler-api jobs: api-dockerfile-lint: runs-on: ubuntu-latest timeout-minutes: 15 permissions: contents: read steps: - name: Checkout repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Check if Dockerfile changed id: dockerfile-changed uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0 with: files: api/Dockerfile - name: Lint Dockerfile with Hadolint if: steps.dockerfile-changed.outputs.any_changed == 'true' uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 with: dockerfile: api/Dockerfile ignore: DL3013 api-container-build-and-scan: runs-on: ubuntu-latest timeout-minutes: 30 permissions: contents: read security-events: write pull-requests: write steps: - name: Checkout repository uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 - name: Check for API changes id: check-changes uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0 with: files_ignore: | api/docs/** api/README.md api/CHANGELOG.md - name: Set up Docker Buildx if: steps.check-changes.outputs.any_changed == 'true' uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Build container if: steps.check-changes.outputs.any_changed == 'true' uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: ${{ env.API_WORKING_DIR }} push: false load: true tags: ${{ env.IMAGE_NAME }}:${{ github.sha }} cache-from: type=gha cache-to: type=gha,mode=max - name: Scan container with Trivy if: github.repository == 'prowler-cloud/prowler' && steps.check-changes.outputs.any_changed == 'true' uses: ./.github/actions/trivy-scan with: image-name: ${{ env.IMAGE_NAME }} image-tag: ${{ github.sha }} fail-on-critical: 'false' severity: 'CRITICAL'