Mercurial > p > roundup > code
annotate .github/workflows/anchore.yml @ 6838:3387f458ed27
add workflow - docker container security check
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Wed, 31 Aug 2022 01:08:49 -0400 |
| parents | |
| children | ca6b056b79a4 |
| rev | line source |
|---|---|
|
6838
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
1 # This workflow uses actions that are not certified by GitHub. |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
2 # They are provided by a third-party and are governed by |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
3 # separate terms of service, privacy policy, and support |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
4 # documentation. |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
5 |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
6 # This workflow checks out code, builds an image, performs a container image |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
7 # vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
8 # code scanning feature. For more information on the Anchore scan action usage |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
9 # and parameters, see https://github.com/anchore/scan-action. For more |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
10 # information on Anchore's container image scanning tool Grype, see |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
11 # https://github.com/anchore/grype |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
12 name: Anchore Container Scan |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
13 |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
14 on: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
15 push: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
16 branches: [ "master" ] |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
17 pull_request: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
18 # The branches below must be a subset of the branches above |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
19 branches: [ "master" ] |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
20 schedule: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
21 - cron: '38 21 * * 6' |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
22 |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
23 permissions: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
24 contents: read |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
25 |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
26 jobs: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
27 Anchore-Build-Scan: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
28 permissions: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
29 contents: read # for actions/checkout to fetch code |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
30 security-events: write # for github/codeql-action/upload-sarif to upload SARIF results |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
31 actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
32 runs-on: ubuntu-latest |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
33 steps: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
34 - name: Checkout the code |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
35 uses: actions/checkout@v3 |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
36 - name: Build the Docker image |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
37 run: docker build . --file scripts/Docker/Dockerfile --tag localbuild/testimage:latest |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
38 - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
39 uses: anchore/scan-action@b08527d5ae7f7dc76f9621edb6e49eaf47933ccd |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
40 with: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
41 image: "localbuild/testimage:latest" |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
42 acs-report-enable: true |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
43 fail-build: false |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
44 - name: Upload Anchore Scan Report |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
45 uses: github/codeql-action/upload-sarif@v2 |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
46 with: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
47 sarif_file: results.sarif |