YAML for Docker Image Ops
Scan, push and promote Docker images, with optional delayed mirroring (quarantine) for supply-chain protection.
YAML examples for Docker Image Ops
Scan an image produced by the previous action
yaml- action: "Docker image ops" type: "DOCKER_IMAGE_OPS" src: docker_registry: "ACTION" from_action: "Build Docker image" scan: scanners: - "VULNERABILITY" - "SECRET" severities: - "CRITICAL" - "HIGH"
Scan the image built by the immediately preceding action
yaml- action: "Docker image ops" type: "DOCKER_IMAGE_OPS" src: docker_registry: "ACTION" scan: scanners: - "VULNERABILITY" severities: - "CRITICAL" - "HIGH"
Scan and push an image built by a previous action
yaml- action: "Docker image ops" type: "DOCKER_IMAGE_OPS" src: docker_registry: "ACTION" from_action: "Build Docker image" push: docker_registry: "ARTIFACT_REGISTRY" name: "my-app" tag: "1.0.0" scan: scanners: - "VULNERABILITY" severities: - "CRITICAL" - "HIGH"
Scan and promote an image to a new tag in the same registry
yaml- action: "Docker image ops" type: "DOCKER_IMAGE_OPS" src: docker_registry: "DOCKER_HUB" integration: "docker-hub" image: "my-org/my-app" tag: "staging" push: docker_registry: "DOCKER_HUB" integration: "docker-hub" name: "my-org/my-app" tag: "production" scan: scanners: - "VULNERABILITY" severities: - "CRITICAL"
Delayed mirror with quarantine, scan and ignore rules
yaml- action: "Docker image ops" type: "DOCKER_IMAGE_OPS" src: docker_registry: "DOCKER_HUB" image: "node" tag: "20" push: docker_registry: "AMAZON_ECR" region: "us-east-1" integration: "my-ecr" quarantine: 14 scan: scanners: - "VULNERABILITY" - "SECRET" - "MISCONFIGURATION" severities: - "CRITICAL" - "HIGH" fail_only_on_fixable: true ignore: vulnerabilities: - id: "CVE-2023-45853" statement: "No upstream fix available, accepted risk" expires_at: "2026-09-21" paths: - "vendor/"