🛡️ Secure Your Container Images Automatically
The AccuKnox Container Scan GitHub Action enables developers and DevSecOps teams to perform automated vulnerability scans on container images and seamlessly upload results to the AccuKnox Console. Ensure your container workloads are compliant, secure, and free from known vulnerabilities.
✅ Automated Container Image Scanning – Detects known vulnerabilities in containerized workloads. ✅ Seamless GitHub Actions Integration – Plug directly into your CI/CD pipelines. ✅ Centralized Results – Scan reports are uploaded to the AccuKnox Console for review and tracking. ✅ Severity Enforcement – Block deployments with high/critical vulnerabilities. ✅ Custom Labels and Metadata – Tag scan reports using labels in AccuKnox Console.
Before using this GitHub Action, ensure you have the following:
1️⃣ AccuKnox Console Access – Sign in to your AccuKnox tenant. 2️⃣ API Token & Tenant ID – Retrieve these from the AccuKnox Console. (see Token Generation). 3️⃣ Label Created in Console – For tagging the uploaded scan reports. 4️⃣ GitHub Secrets Setup – Store credentials securely using GitHub Secrets.
-
Login to AccuKnox Console
-
Navigate to Settings → Tokens
-
Click "Create Token" and store:
accuknox_tokentenant_id
Create a workflow file (e.g., .github/workflows/container-scan.yml) and add the following configuration:
name: AccuKnox Container Scan
on:
push:
branches:
- main
jobs:
container-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Run AccuKnox Container Scanner
uses: accuknox/container-scan-action@v1.0.0
with:
endpoint: ${{ secrets.ACCUKNOX_ENDPOINT }}
token: ${{ secrets.ACCUKNOX_DEV_TOKEN }}
tenant_id: ${{ secrets.TENANT_ID }}
image: "your-image-name"
tag: "latest"
severity: "HIGH,CRITICAL"
label: "container-release-scan"| Input | Description | Required | Default |
|---|---|---|---|
endpoint |
URL of the AccuKnox Console to push scan results | ✅ Yes | cspm.demo.accuknox.com |
token |
API token to authenticate with the AccuKnox Console | ✅ Yes | — |
tenant_id |
Tenant ID from the AccuKnox Console | ✅ Yes | — |
image |
Name of the container image to scan | ✅ Yes | — |
tag |
Version tag for the container image | ✅ Yes | ${{ github.run_id }} |
severity |
(Optional) Severity levels to block pipeline (LOW, MEDIUM, HIGH, etc) |
❌ No | — |
label |
Label used in AccuKnox Console to tag scan results | ✅ Yes | — |
1️⃣ Container Image is Scanned AccuKnox Container Vulnerability Scanner analyzes the specified image for CVEs and misconfigurations.
2️⃣ Scan Report Generated A JSON scan report is produced with detailed findings.
3️⃣ Upload to AccuKnox Console The report is securely sent to your tenant's dashboard for centralized review and tracking.
4️⃣ Severity Filtering (Optional)
If severity is defined, the workflow will block if matching vulnerabilities are found.
❌ Pipeline Blocked by Vulnerabilities?
- Adjust the
severityinput to allow less critical findings. - Review scan reports in the AccuKnox Console to triage issues.
🔑 Authentication Errors?
- Verify your
tokenandtenant_idare correctly stored in GitHub Secrets. - Regenerate credentials in AccuKnox Console if needed.
🧪 Best Practices
- Scan every push and release candidate.
- Use different labels for different environments (e.g., dev, staging, prod).
- Monitor trends via AccuKnox Console for proactive risk management.
📚 Read More: AccuKnox Docs 📧 Contact Support: support@accuknox.com
The AccuKnox Container Scan GitHub Action empowers your CI/CD pipelines with automated container security scanning. Identify critical issues early, enforce deployment security gates, and gain visibility into vulnerabilities across container workloads.
🔐 Shift Left with AccuKnox – Secure from Build to Runtime! 🧱
Let me know if you'd like the badge or marketplace submission content as well.