GitHub Action to run automated security checks on container images according to CHPs specification (Container Hardening Points).
This action assesses container images against multiple security vectors and gives them a grade (A+ to E) based on their:
- Minimalism (image size, layer count, etc.)
- Provenance (build sources, signatures, etc.)
- Configuration (user, permissions, etc.)
- CVE vulnerabilities
When used in conjunction with Create Issue From File, issues will be opened when the action finds security problems (make sure to specify the issues: write permission in the workflow or the job).
Here is a full example of a GitHub workflow file:
This workflow will scan your container images once every day and create an issue if security issues are found. Save this under .github/workflows/chps-scorer.yml:
name: "CHPs Container Security Check"
on:
repository_dispatch:
workflow_dispatch:
schedule:
- cron: "00 18 * * *"
jobs:
chps-scorer:
runs-on: ubuntu-latest
permissions:
issues: write # required for peter-evans/create-issue-from-file
steps:
- uses: actions/checkout@v4
- name: CHPs Security Check
id: chps-scorer
uses: vipulgupta2048/chps-scorer-github-action@v1
with:
image: REPLACE_WITH:YOUR_IMAGE
dockerfile: ./Dockerfile
- name: Write CHPS Report to File
run: |
echo "${{ steps.chps-score.outputs.output }}" > chps-report.md
- name: Create Issue
uses: peter-evans/create-issue-from-file@v5
with:
title: Container Security Issues Detected
content-filepath: ./chps-report.md
labels: security, container, automated-issue| Input | Required | Default | Description |
|---|---|---|---|
| image | Yes | - | Container image to scan (e.g., nginx:latest) |
| output-format | No | json | Output format (options: json) |
| skip-cves | No | false | Skip CVE scanning |
| dockerfile | No | - | Path to Dockerfile for additional checks |
| Output | Description |
|---|---|
| output | Whether findings should trigger an issue (true/false) |
- name: Scan nginx image
uses: vipulgupta2048/chps-scorer-github-action@v1
with:
image: nginx:latest- name: Scan custom image with Dockerfile
uses: vipulgupta2048/chps-scorer-github-action@v1
with:
image: my-custom-image:latest
dockerfile: ./path/to/Dockerfile
- name: Write CHPS Report to File
run: |
echo "${{ steps.chps-score.outputs.output }}" > chps-report.md
- name: Create Issue from File
uses: peter-evans/create-issue-from-file@v4
with:
title: CHPS Security Findings
content-filepath: chps-report.md
labels: security, docker, chps-scorerExample issue: #3
- name: Quick scan without CVEs
uses: vipulgupta2048/chps-scorer-github-action@v1
with:
image: my-image:latest
skip-cves: trueIt is recommended to pin the CHPs Scorer action to a fixed version for security reasons. You can use Dependabot to automatically keep your GitHub actions up-to-date. This is a great way to pin the action while still receiving updates.
Create a file named .github/dependabot.yml with the following contents:
version: 2
updates:
- package-ecosystem: "github-actions"
directory: ".github/workflows"
schedule:
interval: "weekly"When you add or update the dependabot.yml file, this triggers an immediate check for version updates.
See the documentation for all configuration options.
For additional security when relying on automation to update actions, you can pin the action to a SHA-256 instead of the semver version to avoid tag spoofing. Dependabot will still be able to automatically update this.
For example:
- name: CHPs Security Check
uses: vipulgupta2048/chps-scorer-github-action@abcdef123456789abcdef123456789abcdef1234 # v1.0.0This action is licensed under the Apache License, Version 2.0.