DEV Community

Jake Lacey
Jake Lacey

Posted on

Securing your docker images with Github actions for FREE!

Securing you containers is massively important and the consequences of not
doing so will put your customers at risk. However it is really difficult to do with out paying top dollar or having an experienced DevOps team to constantly monitor your images and apply patches.

As developers we want to build our products and build them fast, so if we can automate this process so that we're only notified when they're issues then great!

So today we're going to secure our images using Github actions and for free!

What are Github actions?

GitHub Actions makes it easy to automate all your software workflows, now with world-class CI/CD. Build, test, and deploy your code right from GitHub. Make code reviews, branch management, and issue triaging work the way you want.

Pretty awesome huh! and you don't have to manage infrastructure like that nasty Jenkins!

What is is a vulnerability scanning tool for the everyday developer, it scans numerous databases and informs you of the latest vulnerabilities and for CI integrations its FREE to use!

Even if you've never built a Github action before this is a great place to start

So let's get started

  • Go to the "Actions" tab of a Github repo.
  • Either add a new workflow by copying the yaml below or add the Scan with Phonito Security step after your Docker build from this example workflow.
name: Build & Scan Docker Image
on: [push]
    runs-on: ubuntu-latest
      - uses: actions/checkout@v1

      - name: Set tag var
        id: vars
        run: echo ::set-output name=docker_tag::$(echo ${GITHUB_REF} | cut -d'/' -f3)-${GITHUB_SHA}

      - name: Build the Docker image
        run: docker build . --file Dockerfile --tag myapp:$@{{ steps.vars.outputs.docker_tag }}

      - name: Scan with Phonito Security
        uses: phonito/phonito-scanner-action@master
          image: myapp:$@{{ steps.vars.outputs.docker_tag }}
          phonito-token: ${{ secrets.PHONITO_TOKEN }}
  • Next thing we need to do is get our API key from,
    • Register at
    • And get your API key 🔑

Alt Text

  • Add that API as a secret with the name PHONITO_TOKEN to your repo.

And thats it 🎉

Next time you push to your repo this scanner will run and check for any vulnerabilities that you have. Its as simple as that and FREE so there is no excuse to release software which is insecure!! :)

Alt Text

If you're stuck look at this example repo or raise an issue here.

Top comments (0)