Mercurial > p > roundup > code

annotate .github/workflows/anchore.yml @ 7632:0334d371ea11

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
build: prevent diff from exiting shell script. [skip travis]
author John Rouillard <rouilj@ieee.org>
date Mon, 11 Sep 2023 03:38:22 -0400
parents 926ea14c3450
children bdc81c1e2eec
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
6838
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
1 # This workflow uses actions that are not certified by GitHub.
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
2 # They are provided by a third-party and are governed by
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
3 # separate terms of service, privacy policy, and support
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
4 # documentation.
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
5
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
6 # This workflow checks out code, builds an image, performs a container image
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
7 # vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
8 # code scanning feature. For more information on the Anchore scan action usage
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
9 # and parameters, see https://github.com/anchore/scan-action. For more
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
10 # information on Anchore's container image scanning tool Grype, see
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
11 # https://github.com/anchore/grype
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
12 name: Anchore Container Scan
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
13
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
14 on:
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
15 push:
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
16 branches: [ "master" ]
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
17 pull_request:
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
18 # The branches below must be a subset of the branches above
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
19 branches: [ "master" ]
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
20 schedule:
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
21 - cron: '38 21 * * 6'
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
22
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
23 permissions:
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
24 contents: read
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
25
6956
ca6b056b79a4 only run on most current push.
John Rouillard <rouilj@ieee.org>
parents: 6838
diff changeset
26 concurrency:
ca6b056b79a4 only run on most current push.
John Rouillard <rouilj@ieee.org>
parents: 6838
diff changeset
27 group: ${{ github.workflow }}-${{ github.ref }}
ca6b056b79a4 only run on most current push.
John Rouillard <rouilj@ieee.org>
parents: 6838
diff changeset
28 cancel-in-progress: true
ca6b056b79a4 only run on most current push.
John Rouillard <rouilj@ieee.org>
parents: 6838
diff changeset
29
6838
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
30 jobs:
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
31 Anchore-Build-Scan:
7194
8dc5b3739367 Prevent github actions from running if commit includes 'no-github-ci'
John Rouillard <rouilj@ieee.org>
parents: 7186
diff changeset
32 if: "!contains(github.event.head_commit.message, 'no-github-ci')"
6838
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
33 permissions:
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
34 contents: read # for actions/checkout to fetch code
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
35 security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
36 actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
37 runs-on: ubuntu-latest
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
38 steps:
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
39 - name: Checkout the code
7617
926ea14c3450 chore(deps): bump actions/checkout from 3.6.0 to 4.0.0 - https://github.com/roundup-tracker/roundup/pull/47
John Rouillard <rouilj@ieee.org>
parents: 7613
diff changeset
40 uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
6838
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
41 - name: Build the Docker image
7147
7f4d20ebae4a another try. Use same shell that builds roundup image to update base.
John Rouillard <rouilj@ieee.org>
parents: 7146
diff changeset
42 run: docker pull python:3-alpine; docker build . --file scripts/Docker/Dockerfile --tag localbuild/testimage:latest
7273
6bffcc837bf7 Add list of docker to allow checking size.
John Rouillard <rouilj@ieee.org>
parents: 7270
diff changeset
43 - name: List the Docker image
6bffcc837bf7 Add list of docker to allow checking size.
John Rouillard <rouilj@ieee.org>
parents: 7270
diff changeset
44 run: docker image ls
6838
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
45 - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
7515
6dc7b1f1451c Bump anchore/scan-action from 3.3.5 to 3.3.6 - https://github.com/roundup-tracker/roundup/pull/43
John Rouillard <rouilj@ieee.org>
parents: 7486
diff changeset
46 uses: anchore/scan-action@24fd7c9060f3c96848dd1929fac8d796fb5ae4b4 # v3.3.6
7044
619563fbe2d3 Fix version identofier for Anchore scan
John Rouillard <rouilj@ieee.org>
parents: 7043
diff changeset
47 id: scan
6838
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
48 with:
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
49 image: "localbuild/testimage:latest"
7116
86dae713d4c6 Try to make anchore failure fail build but upload results
John Rouillard <rouilj@ieee.org>
parents: 7046
diff changeset
50 fail-build: true
6838
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
51 - name: Upload Anchore Scan Report
7116
86dae713d4c6 Try to make anchore failure fail build but upload results
John Rouillard <rouilj@ieee.org>
parents: 7046
diff changeset
52 if: always()
7486
0b4028a75705 Bump github/codeql-action from 2.3.6 to 2.13.4 - https://github.com/roundup-tracker/roundup/pull/38
John Rouillard <rouilj@ieee.org>
parents: 7485
diff changeset
53 uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a
0b4028a75705 Bump github/codeql-action from 2.3.6 to 2.13.4 - https://github.com/roundup-tracker/roundup/pull/38
John Rouillard <rouilj@ieee.org>
parents: 7485
diff changeset
54 # v2.13.4
6838
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
55 with:
7044
619563fbe2d3 Fix version identofier for Anchore scan
John Rouillard <rouilj@ieee.org>
parents: 7043
diff changeset
56 sarif_file: ${{ steps.scan.outputs.sarif }}
619563fbe2d3 Fix version identofier for Anchore scan
John Rouillard <rouilj@ieee.org>
parents: 7043
diff changeset
57 - name: Inspect action SARIF report
7116
86dae713d4c6 Try to make anchore failure fail build but upload results
John Rouillard <rouilj@ieee.org>
parents: 7046
diff changeset
58 if: always()
7044
619563fbe2d3 Fix version identofier for Anchore scan
John Rouillard <rouilj@ieee.org>
parents: 7043
diff changeset
59 run: cat ${{ steps.scan.outputs.sarif }}
Roundup Issue Tracker: http://roundup-tracker.org/