feat: Use pre-built docker images (#12)

Author: kieran-smith77

.github/workflows/build-docker-image.yaml

@@ -2,7 +2,17 @@ name: Build Docker Image
 
 on:
   push:
-    branches: [master]
+    branches:
+      - master
+      - main
+      - 'feature/**'
+      - 'bugfix/**'
+      - 'hotfix/**'
+      - develop
+  pull_request:
+    branches:
+      - master
+      - main
 
 jobs:
   build:
@@ -14,6 +24,21 @@ jobs:
     steps:
       - uses: actions/checkout@v5
 
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/itv/kics-github-action
+          tags: |
+            # set latest tag for default branch
+            type=raw,value=latest,enable={{is_default_branch}}
+            # use branch name for branch builds (push events)
+            type=ref,event=branch
+            # use pr number for pull requests
+            type=ref,event=pr
+            # use short sha with safe prefix for all events
+            type=sha,prefix=sha-
+
       - name: Login to GHCR
         uses: docker/login-action@v3
         with:
@@ -26,4 +51,10 @@ jobs:
         with:
           context: .
           push: true
-          tags: ghcr.io/itv/kics-github-action:latest
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Output image details
+        run: |
+          echo "Built and pushed the following tags:"
+          echo "${{ steps.meta.outputs.tags }}"

Dockerfile

@@ -3,12 +3,26 @@ FROM ${DOCKERHUB_REGISTRY}/checkmarx/kics:v2.1.13 as kics-env
 
 FROM cgr.dev/chainguard/wolfi-base:latest
 
+# Install Node.js and npm
+RUN apk add --update nodejs npm
+
 COPY --from=kics-env /app /app
 
 COPY ./entrypoint.sh /entrypoint.sh
 
 RUN chmod +x /entrypoint.sh
 
-COPY ./ /app
+# Copy package files first for better Docker layer caching
+COPY package*.json /app/
+
+# Set working directory and install dependencies
+WORKDIR /app
+RUN npm ci
+
+# Copy rest of the application files
+COPY ./ /app/
+
+# Build the application
+RUN npm run build --if-present
 
 ENTRYPOINT ["/entrypoint.sh"]

action.yml

@@ -104,24 +104,26 @@ inputs:
   cloud_provider:
     description: "list of cloud providers to scan (alicloud, aws, azure, gcp)"
     required: false
-  dockerhub_registry:
-    description: "The Docker registry for the KICS base image. Overridden for private registries."
+  use-ecr-registry:
+    description: "Whether to use AWS ECR as the container registry"
     required: false
-    default: "docker.io"
+    default: "false"
 branding:
   icon: "shield"
   color: "green"
 runs:
   using: "composite"
   steps:
-    - name: Build KICS Action Image
-      shell: bash
-      run: docker build --build-arg DOCKERHUB_REGISTRY="${{ inputs.dockerhub_registry }}" -t kics-action:latest "${{ github.action_path }}"
-
     - name: Run KICS Scan
       shell: bash
       run: |
-        docker run --name kics-scan \
+        if [[ "${{ inputs.use-ecr-registry }}" == "true" ]]; then
+          IMAGE="655028521085.dkr.ecr.eu-west-1.amazonaws.com/cp-gha-kics:0.0.2"
+        else
+          IMAGE="ghcr.io/itv/kics-github-action:develop"
+        fi
+        echo "Using image: $IMAGE"
+        docker run --quiet --name kics-scan \
         -v "${{ github.workspace }}":"${{ github.workspace }}" \
         -w "${{ github.workspace }}" \
         -e GITHUB_ACTION \
@@ -177,4 +179,4 @@ runs:
         -e INPUT_INCLUDE_QUERIES="${{ inputs.include_queries }}" \
         -e INPUT_BOM="${{ inputs.bom }}" \
         -e INPUT_CLOUD_PROVIDER="${{ inputs.cloud_provider }}" \
-        kics-action:latest
+        $IMAGE

entrypoint.sh

@@ -86,8 +86,5 @@ cp -r "${CP_PATH}" "/app/"
 
 cd /app
 
-# install and run nodejs
-apk add --update nodejs npm
-npm ci
-npm run build --if-present
+# run nodejs application
 node dist/index.js