YAML for Docker Image Ops

Scan, push and promote Docker images, with optional delayed mirroring (quarantine) for supply-chain protection.

YAML parameters for Docker Image Ops

PARAMETERS
srcrequiredImageOpsSrcYaml
Source image to scan and/or copy. Use registry ACTION to take the image built by a previous action.
typerequiredstring

Value: DOCKER_IMAGE_OPS

actionrequiredstring
Unique identifier for the action within the pipeline.
pushImageOpsPushYaml
Destination to copy the image to. Omit to only scan. Set quarantine (days) for delayed mirroring.
scanImageOpsScanYaml
Trivy scan configuration (scanners, severities, ignore rules). Omit to skip scanning.
trigger_timestring enum
Specifies when the action should be executed.
Allowed enum:
ON_EVERY_EXECUTION,
ON_SUCCESS,
ON_FAILURE,
ON_BACK_TO_SUCCESS,
ON_WARNING,
ON_WAIT_FOR_APPROVE,
ON_TERMINATE
loopstring[]
The list of variables for dynamic action execution. The action runs once for each value.
run_only_on_first_failureboolean
Defines whether the action should be executed on each failure. Restricted to and required if the trigger_time is ON_FAILURE.
disabledboolean
When set to true the action is disabled. By default it is set to false.
timeoutinteger
The timeout in seconds.
ignore_errorsboolean
If set to true the execution will proceed, mark action as a warning and jump to the next action. Doesn't apply to deployment actions.
retry_intervalinteger
Delay time between auto retries in seconds.
retry_countinteger
Number of retries if the action fails.
run_nextstring enum
Defines whether the action should run in parallel with the next one.
Allowed enum:
WAIT_ON_SUCCESS,
IN_SOFT_PARALLEL,
IN_HARD_PARALLEL
trigger_conditionsTriggerConditionYaml[]
The list of trigger conditions to meet so that the action can be triggered.
variablesVariableYaml[]
The list of variables you can use in the action.

Last modified on Jul 13, 2026

YAML examples for Docker Image Ops

Scan an image produced by the previous action

yaml
- action: "Docker image ops" type: "DOCKER_IMAGE_OPS" src: docker_registry: "ACTION" from_action: "Build Docker image" scan: scanners: - "VULNERABILITY" - "SECRET" severities: - "CRITICAL" - "HIGH"

Scan the image built by the immediately preceding action

yaml
- action: "Docker image ops" type: "DOCKER_IMAGE_OPS" src: docker_registry: "ACTION" scan: scanners: - "VULNERABILITY" severities: - "CRITICAL" - "HIGH"

Scan and push an image built by a previous action

yaml
- action: "Docker image ops" type: "DOCKER_IMAGE_OPS" src: docker_registry: "ACTION" from_action: "Build Docker image" push: docker_registry: "ARTIFACT_REGISTRY" name: "my-app" tag: "1.0.0" scan: scanners: - "VULNERABILITY" severities: - "CRITICAL" - "HIGH"

Scan and promote an image to a new tag in the same registry

yaml
- action: "Docker image ops" type: "DOCKER_IMAGE_OPS" src: docker_registry: "DOCKER_HUB" integration: "docker-hub" image: "my-org/my-app" tag: "staging" push: docker_registry: "DOCKER_HUB" integration: "docker-hub" name: "my-org/my-app" tag: "production" scan: scanners: - "VULNERABILITY" severities: - "CRITICAL"

Delayed mirror with quarantine, scan and ignore rules

yaml
- action: "Docker image ops" type: "DOCKER_IMAGE_OPS" src: docker_registry: "DOCKER_HUB" image: "node" tag: "20" push: docker_registry: "AMAZON_ECR" region: "us-east-1" integration: "my-ecr" quarantine: 14 scan: scanners: - "VULNERABILITY" - "SECRET" - "MISCONFIGURATION" severities: - "CRITICAL" - "HIGH" fail_only_on_fixable: true ignore: vulnerabilities: - id: "CVE-2023-45853" statement: "No upstream fix available, accepted risk" expires_at: "2026-09-21" paths: - "vendor/"