Add boilerplate

Author: Lantero

actions/scan-image/CHANGELOG.md

@@ -0,0 +1,8 @@
+# Changelog
+
+## 0.1.0 (2025-10-03)
+
+### 🎉 Features
+
+* **scan-image:** add `snyk` and `trivy` vulnerability scanners with a fail condition configuration
+* **scan-image:** add [Dockerhub](https://hub.docker.com/) and [Google Artifact Registry](https://cloud.google.com/artifact-registry/docs) as available private sources

actions/scan-image/README.md

@@ -0,0 +1,26 @@
+# scan-image
+
+This is a composite GitHub Action used to scan your images in search of vulnerabilities.
+
+The goal is to provide developers a way to check if their PR changes, without having to
+wait for periodic scans (Faster feedback loop). This can also be used as part of deployment
+CI/CD jobs as a way to verify things before shipping to production environments.
+
+<!-- x-release-please-start-version -->
+
+```yaml
+name: Scan image for vulnerabilities
+jobs:
+  scan-image:
+    name: Scan image for vulnerabilities
+    steps:
+      - name: Scan image for vulnerabilities
+        id: scan-image
+        uses: grafana/shared-workflows/actions/scan-image@scan-image/v0.1.0
+        with:
+          image_name: docker.io/hello-world
+          fail_on: critical
+          fail_on_threshold: 1
+```
+
+<!-- x-release-please-end-version -->

actions/scan-image/action.yaml

@@ -0,0 +1,84 @@
+name: Scan Image
+description: Composite action to check an image for vulnerabilities
+
+inputs:
+  image_name:
+    description: "The name of the image to scan, including the registry e.g. docker.io/hello-world"
+    required: true
+  image_source:
+    description: "The source of the image to scan"
+    type: choice
+    options:
+      - public
+      - private_dockerhub
+      - private_gar
+    default: public
+  fail_on:
+    description: "Whether to fail the workflow if vulnerabilities are found"
+    type: choice
+    options:
+      - critical
+      - high
+      - medium
+      - low
+    default: critical
+  fail_on_threshold:
+    description: "The threshold of vulnerabilities to fail the workflow on"
+    type: integer
+    default: 1
+  trivy_version:
+    description: "The version of Trivy to use (The latest will be used if not provided)"
+    type: string
+
+outputs:
+  trivy:
+    description: "The results of the Trivy scan"
+    type: string
+    value: ${{ steps.run-trivy.outputs.results }}
+
+runs:
+  using: composite
+  steps:
+
+    - name: Login to DockerHub
+      id: login-to-dockerhub
+      if: inputs.image_source == 'private_dockerhub'
+      uses: grafana/shared-workflows/actions/[email protected]
+
+    - name: Extract GAR registry
+      id: extract-gar-registry
+      if: inputs.image_source == 'private_gar'
+      shell: bash
+      run: |
+        IMAGE_NAME="${{ inputs.image_name }}"
+        REGISTRY="${IMAGE_NAME%%/*}"
+        echo "registry=${REGISTRY}" >> $GITHUB_OUTPUT
+
+    - name: Login to GAR
+      id: login-to-gar
+      if: inputs.image_source == 'private_gar'
+      uses: grafana/shared-workflows/actions/login-to-gar@login-to-gar/v1.0.0
+      with:
+        registry: ${{ steps.extract-gar-registry.outputs.registry }}
+
+    - name: Setup Trivy (Latest)
+      id: setup-trivy-latest
+      if: inputs.trivy_version == ''
+      uses: aquasecurity/[email protected]
+
+    - name: Setup Trivy (Pinned)
+      id: setup-trivy-pinned
+      if: inputs.trivy_version != ''
+      uses: aquasecurity/[email protected]
+      with:
+        version: ${{ inputs.trivy_version }}
+
+    - name: Run Trivy
+      id: run-trivy
+      shell: bash
+      run: |
+        trivy image ${{ inputs.image_name }} -f json > trivy.json
+        cat trivy.json
+        echo "results=$(cat trivy.json)" >> $GITHUB_OUTPUT
+
+