Add Wiz Scanning Into Build Pipeline

jonathanrainer · jonathanrainer · commit 6b89bf0c4b80 · 2025-04-29T05:58:42.000+01:00
diff --git a/.github/workflows/build_docker_image.yaml b/.github/workflows/build_docker_image.yaml
@@ -55,6 +55,44 @@ jobs:
             org.opencontainers.image.description=${{ inputs.description }}
             org.opencontainers.image.vendor=Apollo GraphQL
             org.opencontainers.image.licenses=MIT
+      - name: Build and Load Docker Image For Testing
+        id: build-for-testing
+        uses: docker/build-push-action@67dc78bbaf388b3265f7e1c880e681f4b90d5f48
+        with:
+          context: ${{ inputs.directory }}
+          file: ${{ inputs.directory }}/Dockerfile
+          load: true
+          tags: ${{ inputs.image_name }}:test
+          platforms: ${{ inputs.platforms }}
+      - name: Install Wiz CLI
+        working-directory: ${{ runner.temp }}
+        run: |
+          apt-get update
+          apt-get install gpg
+          curl -Lo wizcli https://downloads.wiz.io/wizcli/latest/wizcli-linux-amd64
+          curl -Lo wizcli-sha256 https://downloads.wiz.io/wizcli/latest/wizcli-linux-amd64-sha256
+          curl -Lo wizcli-sha256.sig https://downloads.wiz.io/wizcli/latest/wizcli-linux-amd64-sha256.sig
+          curl -Lo wiz_public_key.asc https://downloads.wiz.io/wizcli/public_key.asc
+          gpg --import wiz_public_key.asc
+          gpg --verify /tmp/wizcli-sha256.sig /tmp/wizcli-sha256
+          echo "$(cat /tmp/wizcli-sha256) wizcli" | sha256sum --check
+          chmod +x wizcli
+      - name: Authenticate Wiz CLI
+        working-directory: ${{ runner.temp }}
+        run: |
+          ./wizcli auth --id ${{ secrets.WIZ_CLIENT_ID }} --secret ${{ secrets.WIZ_CLIENT_SECRET }}
+      - name: Scan Image
+        working-directory: ${{ runner.temp }}
+        run: |
+          mkdir -p /tmp/workspace/sbom
+          /tmp/wizcli docker scan \
+            --image ${{ inputs.image_name }}:test \
+            --dockerfile ${{ inputs.directory }}/Dockerfile \
+            --policy "Apollo-Default-Vulnerabilities-Policy" \
+            --sbom-format spdx-json \
+            --sbom-output-file ${{ runner.temp }}/${{ inputs.image_name }}/sbom.json \
+            --timeout "0h9m0s" \
+            --sensitive-data
       - name: Build and Push Docker image
         id: push
         uses: docker/build-push-action@67dc78bbaf388b3265f7e1c880e681f4b90d5f48
