GitHub Actions Integration Guide
CascadeGuard generates a complete GitHub Actions CI/CD pipeline for your image repository. Running cg tools generate emits four workflow files under .github/workflows/.
Generated workflows
build-image.yaml — Reusable build workflow
A workflow_call workflow that builds, scans, attests, and signs a single image. It is called by the other workflows rather than triggered directly.
Steps performed:
- Check out source code
- Set up Docker Buildx
- Build the image
- Scan with Grype and Trivy
- Generate an SBOM with Syft
- Sign the image and attest the SBOM with Cosign (keyless, via Sigstore)
- Push to the registry
ci.yaml — PR checks and main-branch pipeline
Triggered on:
pushtomain- All
pull_requestevents
On pull requests: builds the matrix of all images and runs scans. Does not push or sign.
On merge to main: builds, scans, signs, and pushes every image in images.yaml.
Matrix build: Every image defined in images.yaml gets its own parallel job. Adding a new image to images.yaml and re-running generate-ci automatically includes it in the matrix.
scheduled-scan.yaml — Nightly CVE re-scan
Triggered by:
- A nightly cron schedule
- Manual
workflow_dispatch
Re-scans every currently published image against the latest vulnerability databases — without rebuilding. If a newly disclosed CVE is found in a published image, this workflow opens a GitHub Issue with details.
This ensures you are notified of new vulnerabilities even between scheduled rebuilds.
release.yaml — Tag-triggered release
Triggered by tag pushes matching v* (e.g. v1.2.3).
- Builds and signs all images
- Pushes to the registry with the release tag
- Creates a GitHub Release with a changelog
Regenerating pipelines
Whenever you change images.yaml (add, remove, or rename images), regenerate the CI files:
cg tools generateCommit the updated workflow files. The matrix builds will automatically reflect the change on the next run.
Note: The generated files include a header comment —
# Auto-generated by CascadeGuard — do not edit by hand.— to make their origin clear. Any manual edits will be overwritten on the nextcg tools generaterun.
Required repository secrets and permissions
| Secret / Permission | Used by | Purpose |
|---|---|---|
GITHUB_TOKEN | All workflows | Registry push, Cosign keyless signing, issue creation |
id-token: write | build-image.yaml, release.yaml | Required for Cosign keyless signing via OIDC |
packages: write | build-image.yaml | Push images to GitHub Container Registry (ghcr.io) |
issues: write | scheduled-scan.yaml | Open issues when new CVEs are found |
No additional secrets are required for the default configuration when using GitHub Container Registry. For private registries, add appropriate login secrets and customise the workflow templates.
Platform configuration
The target CI platform is controlled by .cascadeguard.yaml in your state repository root:
# .cascadeguard.yaml
ci:
platform: github # defaultYou can also pass --platform to override at runtime:
cg tools generate --platform githubGitLab CI support is planned for a future release.
See also
- Getting Started — Full setup walkthrough
- Security Model — How scanning and signing work
- CLI Reference —
tools generate,tools pin, andtools audit - cascadeguard-exemplar — Example state repository with generated workflows