Mercurial > p > roundup > code


  
6838


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     1 # This workflow uses actions that are not certified by GitHub.


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     2 # They are provided by a third-party and are governed by


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     3 # separate terms of service, privacy policy, and support


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     4 # documentation.


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     5 


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     6 # This workflow checks out code, builds an image, performs a container image


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     7 # vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     8 # code scanning feature.  For more information on the Anchore scan action usage


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     9 # and parameters, see https://github.com/anchore/scan-action. For more


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    10 # information on Anchore's container image scanning tool Grype, see


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    11 # https://github.com/anchore/grype


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    12 name: Anchore Container Scan


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    13 


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    14 on:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    15   push:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    16     branches: [ "master" ]


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    17   pull_request:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    18     # The branches below must be a subset of the branches above


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    19     branches: [ "master" ]


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    20   schedule:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    21     - cron: '38 21 * * 6'


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    22 


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    23 permissions:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    24   contents: read


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    25 


6956


ca6b056b79a4
only run on most current push.

John Rouillard <rouilj@ieee.org>
parents: 
6838
diff
changeset


    26 concurrency:


ca6b056b79a4
only run on most current push.

John Rouillard <rouilj@ieee.org>
parents: 
6838
diff
changeset


    27   group: ${{ github.workflow }}-${{ github.ref }}


ca6b056b79a4
only run on most current push.

John Rouillard <rouilj@ieee.org>
parents: 
6838
diff
changeset


    28   cancel-in-progress: true


ca6b056b79a4
only run on most current push.

John Rouillard <rouilj@ieee.org>
parents: 
6838
diff
changeset


    29 


6838


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    30 jobs:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    31   Anchore-Build-Scan:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    32     permissions:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    33       contents: read # for actions/checkout to fetch code


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    34       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    35       actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    36     runs-on: ubuntu-latest


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    37     steps:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    38     - name: Checkout the code


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    39       uses: actions/checkout@v3


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    40     - name: Build the Docker image


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    41       run: docker build . --file scripts/Docker/Dockerfile --tag localbuild/testimage:latest


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    42     - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled


7043


02321d2c8458
Update to latest Anchore to see if it fixes depreciation warnings.

John Rouillard <rouilj@ieee.org>
parents: 
6956
diff
changeset


    43       uses: anchore/scan-action@3.3.1


6838


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    44       with:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    45         image: "localbuild/testimage:latest"


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    46         acs-report-enable: true


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    47         fail-build: false


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    48     - name: Upload Anchore Scan Report


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    49       uses: github/codeql-action/upload-sarif@v2


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    50       with:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    51         sarif_file: results.sarif
author	John Rouillard <rouilj@ieee.org>
date	Mon, 07 Nov 2022 19:11:20 -0500
parents	ca6b056b79a4
children	619563fbe2d3
rev	line source
6838 3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	1 # This workflow uses actions that are not certified by GitHub.
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	2 # They are provided by a third-party and are governed by
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	3 # separate terms of service, privacy policy, and support
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	4 # documentation.
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	5
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	6 # This workflow checks out code, builds an image, performs a container image
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	7 # vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	8 # code scanning feature. For more information on the Anchore scan action usage
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	9 # and parameters, see https://github.com/anchore/scan-action. For more
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	10 # information on Anchore's container image scanning tool Grype, see
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	11 # https://github.com/anchore/grype
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	12 name: Anchore Container Scan
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	13
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	14 on:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	15 push:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	16 branches: [ "master" ]
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	17 pull_request:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	18 # The branches below must be a subset of the branches above
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	19 branches: [ "master" ]
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	20 schedule:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	21 - cron: '38 21 * * 6'
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	22
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	23 permissions:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	24 contents: read
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	25
6956 ca6b056b79a4 only run on most current push. John Rouillard <rouilj@ieee.org> parents: 6838 diff changeset	26 concurrency:
ca6b056b79a4 only run on most current push. John Rouillard <rouilj@ieee.org> parents: 6838 diff changeset	27 group: ${{ github.workflow }}-${{ github.ref }}
ca6b056b79a4 only run on most current push. John Rouillard <rouilj@ieee.org> parents: 6838 diff changeset	28 cancel-in-progress: true
ca6b056b79a4 only run on most current push. John Rouillard <rouilj@ieee.org> parents: 6838 diff changeset	29
6838 3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	30 jobs:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	31 Anchore-Build-Scan:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	32 permissions:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	33 contents: read # for actions/checkout to fetch code
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	34 security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	35 actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	36 runs-on: ubuntu-latest
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	37 steps:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	38 - name: Checkout the code
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	39 uses: actions/checkout@v3
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	40 - name: Build the Docker image
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	41 run: docker build . --file scripts/Docker/Dockerfile --tag localbuild/testimage:latest
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	42 - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
7043 02321d2c8458 Update to latest Anchore to see if it fixes depreciation warnings. John Rouillard <rouilj@ieee.org> parents: 6956 diff changeset	43 uses: anchore/scan-action@3.3.1
6838 3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	44 with:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	45 image: "localbuild/testimage:latest"
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	46 acs-report-enable: true
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	47 fail-build: false
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	48 - name: Upload Anchore Scan Report
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	49 uses: github/codeql-action/upload-sarif@v2
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	50 with:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	51 sarif_file: results.sarif