Automated Container Builds and Scanning

Modern CI pipelines must not only build software but also ensure its security. Building container images and scanning them for vulnerabilities before deployment is a critical best practice.

Building and Pushing Container Images

Using GitHub Actions, you can automate the process of building a Docker image and pushing it to a container registry like Docker Hub, GitHub Container Registry (GHCR), or AWS ECR.

Vulnerability Scanning with Trivy

Trivy is a comprehensive security scanner. It is highly suitable for CI/CD pipelines due to its speed and ease of use.

Example Integration

steps:
  - name: Build an image from Dockerfile
    run: docker build -t my-app:${{ github.sha }} .
    
  - name: Run Trivy vulnerability scanner
    uses: aquasecurity/trivy-action@master
    with:
      image-ref: 'my-app:${{ github.sha }}'
      format: 'table'
      exit-code: '1'
      ignore-unfixed: true
      vuln-type: 'os,library'
      severity: 'CRITICAL,HIGH'

By setting exit-code: '1', the CI pipeline will fail if critical or high vulnerabilities are detected, preventing insecure code from reaching production.

GitHub Actions Fundamentals Progressive Delivery (Canary, Blue/Green)