Mercurial > p > roundup > code


  
6838


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     1 # This workflow uses actions that are not certified by GitHub.


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     2 # They are provided by a third-party and are governed by


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     3 # separate terms of service, privacy policy, and support


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     4 # documentation.


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     5 


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     6 # This workflow checks out code, builds an image, performs a container image


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     7 # vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     8 # code scanning feature.  For more information on the Anchore scan action usage


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     9 # and parameters, see https://github.com/anchore/scan-action. For more


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    10 # information on Anchore's container image scanning tool Grype, see


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    11 # https://github.com/anchore/grype


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    12 name: Anchore Container Scan


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    13 


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    14 on:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    15   push:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    16     branches: [ "master" ]


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    17   pull_request:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    18     # The branches below must be a subset of the branches above


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    19     branches: [ "master" ]


7940


85c47edfc383
test: disable cron job running anchore

John Rouillard <rouilj@ieee.org>
parents: 
7728
diff
changeset


    20   #schedule:


85c47edfc383
test: disable cron job running anchore

John Rouillard <rouilj@ieee.org>
parents: 
7728
diff
changeset


    21     #- cron: '38 21 * * 6'


6838


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    22 


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    23 permissions:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    24   contents: read


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    25 


6956


ca6b056b79a4
only run on most current push.

John Rouillard <rouilj@ieee.org>
parents: 
6838
diff
changeset


    26 concurrency:


ca6b056b79a4
only run on most current push.

John Rouillard <rouilj@ieee.org>
parents: 
6838
diff
changeset


    27   group: ${{ github.workflow }}-${{ github.ref }}


ca6b056b79a4
only run on most current push.

John Rouillard <rouilj@ieee.org>
parents: 
6838
diff
changeset


    28   cancel-in-progress: true


ca6b056b79a4
only run on most current push.

John Rouillard <rouilj@ieee.org>
parents: 
6838
diff
changeset


    29 


6838


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    30 jobs:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    31   Anchore-Build-Scan:


7194


8dc5b3739367
Prevent github actions from running if commit includes 'no-github-ci'

John Rouillard <rouilj@ieee.org>
parents: 
7186
diff
changeset


    32     if: "!contains(github.event.head_commit.message, 'no-github-ci')"


6838


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    33     permissions:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    34       contents: read # for actions/checkout to fetch code


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    35       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    36       actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    37     runs-on: ubuntu-latest


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    38     steps:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    39     - name: Checkout the code


8479


69fc3cee878c
chore: github actions/checkout upgrade 5.0.0 to 6.0.0

John Rouillard <rouilj@ieee.org>
parents: 
8468
diff
changeset


    40       uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0


6838


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    41     - name: Build the Docker image


7147


7f4d20ebae4a
another try. Use same shell that builds roundup image to update base.

John Rouillard <rouilj@ieee.org>
parents: 
7146
diff
changeset


    42       run: docker pull python:3-alpine; docker build . --file scripts/Docker/Dockerfile --tag localbuild/testimage:latest


7273


6bffcc837bf7
Add list of docker to allow checking size.

John Rouillard <rouilj@ieee.org>
parents: 
7270
diff
changeset


    43     - name: List the Docker image


6bffcc837bf7
Add list of docker to allow checking size.

John Rouillard <rouilj@ieee.org>
parents: 
7270
diff
changeset


    44       run: docker image ls


6838


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    45     - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled


8480


3ab30654e9c1
chore: anchore anchore/scan-action upgrade 7.1.0 to 7.2.0

John Rouillard <rouilj@ieee.org>
parents: 
8479
diff
changeset


    46       uses: anchore/scan-action@3aaf50d765cfcceafa51d322ccb790e40f6cd8c5 # 7.2.0


7044


619563fbe2d3
Fix version identofier for Anchore scan

John Rouillard <rouilj@ieee.org>
parents: 
7043
diff
changeset


    47       id: scan


6838


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    48       with:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    49         image: "localbuild/testimage:latest"


7116


86dae713d4c6
Try to make anchore failure fail build but upload results

John Rouillard <rouilj@ieee.org>
parents: 
7046
diff
changeset


    50         fail-build: true


6838


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    51     - name: Upload Anchore Scan Report


7116


86dae713d4c6
Try to make anchore failure fail build but upload results

John Rouillard <rouilj@ieee.org>
parents: 
7046
diff
changeset


    52       if: always()


8336


1357dfcb81eb
chore: update actions to current versions.

John Rouillard <rouilj@ieee.org>
parents: 
7940
diff
changeset


    53       uses: github/codeql-action/upload-sarif@b1e4dc3db58c9601794e22a9f6d28d45461b9dbf # v2.22.0


6838


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    54       with:


7044


619563fbe2d3
Fix version identofier for Anchore scan

John Rouillard <rouilj@ieee.org>
parents: 
7043
diff
changeset


    55         sarif_file: ${{ steps.scan.outputs.sarif }}


619563fbe2d3
Fix version identofier for Anchore scan

John Rouillard <rouilj@ieee.org>
parents: 
7043
diff
changeset


    56     - name: Inspect action SARIF report


7116


86dae713d4c6
Try to make anchore failure fail build but upload results

John Rouillard <rouilj@ieee.org>
parents: 
7046
diff
changeset


    57       if: always()


7044


619563fbe2d3
Fix version identofier for Anchore scan

John Rouillard <rouilj@ieee.org>
parents: 
7043
diff
changeset


    58       run: cat ${{ steps.scan.outputs.sarif }}
author	John Rouillard <rouilj@ieee.org>
date	Mon, 24 Nov 2025 11:51:40 -0500
parents	69fc3cee878c
children	aab59f040b80
rev	line source
6838 3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	1 # This workflow uses actions that are not certified by GitHub.
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	2 # They are provided by a third-party and are governed by
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	3 # separate terms of service, privacy policy, and support
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	4 # documentation.
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	5
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	6 # This workflow checks out code, builds an image, performs a container image
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	7 # vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	8 # code scanning feature. For more information on the Anchore scan action usage
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	9 # and parameters, see https://github.com/anchore/scan-action. For more
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	10 # information on Anchore's container image scanning tool Grype, see
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	11 # https://github.com/anchore/grype
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	12 name: Anchore Container Scan
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	13
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	14 on:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	15 push:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	16 branches: [ "master" ]
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	17 pull_request:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	18 # The branches below must be a subset of the branches above
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	19 branches: [ "master" ]
7940 85c47edfc383 test: disable cron job running anchore John Rouillard <rouilj@ieee.org> parents: 7728 diff changeset	20 #schedule:
85c47edfc383 test: disable cron job running anchore John Rouillard <rouilj@ieee.org> parents: 7728 diff changeset	21 #- cron: '38 21 * * 6'
6838 3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	22
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	23 permissions:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	24 contents: read
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	25
6956 ca6b056b79a4 only run on most current push. John Rouillard <rouilj@ieee.org> parents: 6838 diff changeset	26 concurrency:
ca6b056b79a4 only run on most current push. John Rouillard <rouilj@ieee.org> parents: 6838 diff changeset	27 group: ${{ github.workflow }}-${{ github.ref }}
ca6b056b79a4 only run on most current push. John Rouillard <rouilj@ieee.org> parents: 6838 diff changeset	28 cancel-in-progress: true
ca6b056b79a4 only run on most current push. John Rouillard <rouilj@ieee.org> parents: 6838 diff changeset	29
6838 3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	30 jobs:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	31 Anchore-Build-Scan:
7194 8dc5b3739367 Prevent github actions from running if commit includes 'no-github-ci' John Rouillard <rouilj@ieee.org> parents: 7186 diff changeset	32 if: "!contains(github.event.head_commit.message, 'no-github-ci')"
6838 3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	33 permissions:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	34 contents: read # for actions/checkout to fetch code
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	35 security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	36 actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	37 runs-on: ubuntu-latest
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	38 steps:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	39 - name: Checkout the code
8479 69fc3cee878c chore: github actions/checkout upgrade 5.0.0 to 6.0.0 John Rouillard <rouilj@ieee.org> parents: 8468 diff changeset	40 uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
6838 3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	41 - name: Build the Docker image
7147 7f4d20ebae4a another try. Use same shell that builds roundup image to update base. John Rouillard <rouilj@ieee.org> parents: 7146 diff changeset	42 run: docker pull python:3-alpine; docker build . --file scripts/Docker/Dockerfile --tag localbuild/testimage:latest
7273 6bffcc837bf7 Add list of docker to allow checking size. John Rouillard <rouilj@ieee.org> parents: 7270 diff changeset	43 - name: List the Docker image
6bffcc837bf7 Add list of docker to allow checking size. John Rouillard <rouilj@ieee.org> parents: 7270 diff changeset	44 run: docker image ls
6838 3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	45 - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
8480 3ab30654e9c1 chore: anchore anchore/scan-action upgrade 7.1.0 to 7.2.0 John Rouillard <rouilj@ieee.org> parents: 8479 diff changeset	46 uses: anchore/scan-action@3aaf50d765cfcceafa51d322ccb790e40f6cd8c5 # 7.2.0
7044 619563fbe2d3 Fix version identofier for Anchore scan John Rouillard <rouilj@ieee.org> parents: 7043 diff changeset	47 id: scan
6838 3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	48 with:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	49 image: "localbuild/testimage:latest"
7116 86dae713d4c6 Try to make anchore failure fail build but upload results John Rouillard <rouilj@ieee.org> parents: 7046 diff changeset	50 fail-build: true
6838 3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	51 - name: Upload Anchore Scan Report
7116 86dae713d4c6 Try to make anchore failure fail build but upload results John Rouillard <rouilj@ieee.org> parents: 7046 diff changeset	52 if: always()
8336 1357dfcb81eb chore: update actions to current versions. John Rouillard <rouilj@ieee.org> parents: 7940 diff changeset	53 uses: github/codeql-action/upload-sarif@b1e4dc3db58c9601794e22a9f6d28d45461b9dbf # v2.22.0
6838 3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	54 with:
7044 619563fbe2d3 Fix version identofier for Anchore scan John Rouillard <rouilj@ieee.org> parents: 7043 diff changeset	55 sarif_file: ${{ steps.scan.outputs.sarif }}
619563fbe2d3 Fix version identofier for Anchore scan John Rouillard <rouilj@ieee.org> parents: 7043 diff changeset	56 - name: Inspect action SARIF report
7116 86dae713d4c6 Try to make anchore failure fail build but upload results John Rouillard <rouilj@ieee.org> parents: 7046 diff changeset	57 if: always()
7044 619563fbe2d3 Fix version identofier for Anchore scan John Rouillard <rouilj@ieee.org> parents: 7043 diff changeset	58 run: cat ${{ steps.scan.outputs.sarif }}