Integrating Docker Scout with GitHub Workflow

Integrate Docker Scout into your CI workflow to proactively identify vulnerabilities early in the development process.

In my previous article, I discussed the importance of vulnerability scanning and how Docker Scout can provide a better overview of dependencies and their associated vulnerabilities.

Vulnerability and Dependency Scanning with Docker Scout

In this article, we will get our hands on Docker Scout by creating a GitHub Workflow to build a docker image and scan it for vulnerabilities before merging its content with a production branch and publishing it to Docker Hub. This process increases the quality of the released application.

Creating a Sample Application

For this tutorial, we will use my Hypnos application code as an example. This is a web application built using React.js and the Yarn package manager. First, we must create its Docker file.

FROM node:14-alpine
WORKDIR /app
COPY package.json ./
COPY yarn.lock ./
RUN yarn install --frozen-lockfile
COPY . .
EXPOSE 3000
CMD ["npm", "start"]

Next, it’s good practice to instruct Docker to prevent the node_modules from being unintentionally copied into the Docker image. This folder might become quite large, and since we will build the image anyway, we don’t need to copy them. To do so, create a .dockerignore file with the following content:

node_modules

Before moving to the actual GitHub Action, let’s build the image locally to ensure everything works as expected.

docker image build -t hypnos:1.0 .

Finally, we can run a container with the newly created image.

docker run -p 3000:3000 hypnos:1.0

Automating the Build and Scanning Using GitHub Actions

Now that we have our working Docker image, we can focus on automating the vulnerability scanning using…