Centralized container security automation for GitHub organizations using GitHub Actions with support for Blacksmith, GitHub-hosted, or self-hosted runners.
This repository provides:
- org-wide repository discovery for repos containing Dockerfiles
- reusable container scanning workflows
- configurable runner backends for Blacksmith, GitHub-hosted, or self-hosted runners
- small-scale fast mode for ordinary repos using prewarmed self-hosted runners
- policy-driven target selection
- normalized per-scan and org-wide reports
- onboarding documentation for GitHub App authentication and rollout
.github/workflows/discover-and-dispatch.yml: scheduled and manual orchestration workflow.github/workflows/reusable-container-scan.yml: reusable per-target scan workflowconfig/org-scan-policy.yaml: org-wide defaults and execution settingsscripts/: discovery, selection, normalization, and helper scriptstestdata/: smoke-test fixturestests/: unit and CLI smoke testsdocs/onboarding.md: setup and rollout guidance
- Create a virtual environment.
- Install dependencies from
requirements.txt. - Run the automated test suite.
- Run the V1 smoke test.
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
python3 -m unittest discover -s tests -v
bash scripts/run_v1_smoke_test.shRequired secrets:
ORG_SCAN_APP_IDORG_SCAN_APP_PRIVATE_KEY
Optional secrets and variables for private registries:
REGISTRY_USERNAMEREGISTRY_PASSWORDREGISTRY_HOST
See Onboarding for full setup details.
- The reusable workflow supports
advisoryandenforcepolicy modes. - Repository-level overrides can be defined in
.github/security-container-scan.yml. - Small-scale fast mode is intended for personal or small-team repos where Blacksmith is not available.
If you discover a vulnerability in this automation, follow the process in SECURITY.md.