Docs/GitHub Action

GitHub Action

Scan container images in your CI/CD pipeline. Generate SBOMs, detect vulnerabilities, audit cryptographic assets, and scan for malware — directly in GitHub Actions.

Quick Start

- uses: getreeldev/releases@v1

with:

image: myapp:${{ github.sha }}

scan-types: sbom,malware

Inputs

Input	Required	Default	Description
image	yes		Container image to scan
scan-types	no	sbom	Comma-separated: sbom, cbom, sarif, malware
scanners	no		Trivy scanners: vuln, secret, license, config, all
severity	no		Severity filter: LOW, MEDIUM, HIGH, CRITICAL
fail-on-findings	no	false	Fail the step if any findings survive the scan filters
format	no	cyclonedx	SBOM format: cyclonedx, spdx, spdx-json
output-dir	no	reel-results	Directory for scan outputs
reel-version	no	latest	Reel CLI version to use

Outputs

Output	Description
sbom-file	Path to the SBOM output file
sarif-file	Path to the SARIF output file
malware-file	Path to the malware scan output file
vuln-count	Number of vulnerabilities found after filtering
malware-count	Number of infected files found

Fail on Findings

Use fail-on-findings to break the build when vulnerabilities or malware are detected. The scan filters control what counts as a finding — the action fails if anything survives the filters.

# Fail on critical vulnerabilities or malware

- uses: getreeldev/releases@v1

with:

image: myapp:${{ github.sha }}

scan-types: sbom,malware

scanners: vuln

severity: CRITICAL

fail-on-findings: true

Scans always complete and produce artifacts, even when findings are detected. The evaluation step runs after all scans finish, so reports are always available for review.

SARIF Upload

Generate SARIF output and upload to GitHub Code Scanning for vulnerability alerts in pull requests:

- uses: getreeldev/releases@v1

with:

image: myapp:${{ github.sha }}

scan-types: sarif

- uses: github/codeql-action/upload-sarif@v3

with:

sarif_file: reel-results/results.sarif

Full Pipeline Example

# .github/workflows/security.yml

name: Security Scan

on: [push, pull_request]

jobs:

scan:

runs-on: ubuntu-latest

steps:

- uses: actions/checkout@v4

- name: Build image

run: docker build -t myapp:${{ github.sha }} .

- uses: getreeldev/releases@v1

id: scan

with:

image: myapp:${{ github.sha }}

scan-types: sbom,malware

scanners: vuln

severity: HIGH,CRITICAL

fail-on-findings: true

- uses: actions/upload-artifact@v4

if: always()

with:

name: security-reports

path: reel-results/

The if: always() on the upload step ensures artifacts are saved even when the scan gate fails.

Caching

Reel downloads Trivy and ClamAV on first use to ~/.cache/reel/. Add a cache step to avoid re-downloading on every run:

- uses: actions/cache@v4

with:

path: ~/.cache/reel

key: reel-cache-${{ runner.os }}

- uses: getreeldev/releases@v1

with:

image: myapp:${{ github.sha }}

Troubleshooting

Image not found

The image must be available to the runner — either built locally in a previous step, or pullable from a registry. For private registries, add a docker login step first.

Slow first run

First run downloads Trivy (~50MB) and ClamAV (~200MB) plus virus databases. Add the caching step above to speed up subsequent runs.

Scan passes but expected failure

Check that scanners: vuln is set — without it, severity has no effect because no vulnerability scanning is performed.

Forensic Analysis CI/CD Pipelines