Mercurial > p > roundup > code
annotate .github/workflows/anchore.yml @ 6994:4336e655b2be
Update packages in docker image; supress pip warning; improve cache
use apk to update packages in image to get security fixes
pip warns when run as root. In a dcker environment this can be ignored
as the entire image is effectively a venv.
Move inclusion of specific pip packages lower in the build procedure
so we can cache all prior layers. Including it earlier resulted in
layers that could be cached being invalidated.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sat, 01 Oct 2022 23:40:48 -0400 |
| parents | ca6b056b79a4 |
| children | 02321d2c8458 |
| rev | line source |
|---|---|
|
6838
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
1 # This workflow uses actions that are not certified by GitHub. |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
2 # They are provided by a third-party and are governed by |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
3 # separate terms of service, privacy policy, and support |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
4 # documentation. |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
5 |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
6 # This workflow checks out code, builds an image, performs a container image |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
7 # vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
8 # code scanning feature. For more information on the Anchore scan action usage |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
9 # and parameters, see https://github.com/anchore/scan-action. For more |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
10 # information on Anchore's container image scanning tool Grype, see |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
11 # https://github.com/anchore/grype |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
12 name: Anchore Container Scan |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
13 |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
14 on: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
15 push: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
16 branches: [ "master" ] |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
17 pull_request: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
18 # The branches below must be a subset of the branches above |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
19 branches: [ "master" ] |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
20 schedule: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
21 - cron: '38 21 * * 6' |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
22 |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
23 permissions: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
24 contents: read |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
25 |
|
6956
ca6b056b79a4
only run on most current push.
John Rouillard <rouilj@ieee.org>
parents:
6838
diff
changeset
|
26 concurrency: |
|
ca6b056b79a4
only run on most current push.
John Rouillard <rouilj@ieee.org>
parents:
6838
diff
changeset
|
27 group: ${{ github.workflow }}-${{ github.ref }} |
|
ca6b056b79a4
only run on most current push.
John Rouillard <rouilj@ieee.org>
parents:
6838
diff
changeset
|
28 cancel-in-progress: true |
|
ca6b056b79a4
only run on most current push.
John Rouillard <rouilj@ieee.org>
parents:
6838
diff
changeset
|
29 |
|
6838
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
30 jobs: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
31 Anchore-Build-Scan: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
32 permissions: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
33 contents: read # for actions/checkout to fetch code |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
34 security-events: write # for github/codeql-action/upload-sarif to upload SARIF results |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
35 actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
36 runs-on: ubuntu-latest |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
37 steps: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
38 - name: Checkout the code |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
39 uses: actions/checkout@v3 |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
40 - name: Build the Docker image |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
41 run: docker build . --file scripts/Docker/Dockerfile --tag localbuild/testimage:latest |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
42 - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
43 uses: anchore/scan-action@b08527d5ae7f7dc76f9621edb6e49eaf47933ccd |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
44 with: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
45 image: "localbuild/testimage:latest" |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
46 acs-report-enable: true |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
47 fail-build: false |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
48 - name: Upload Anchore Scan Report |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
49 uses: github/codeql-action/upload-sarif@v2 |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
50 with: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
51 sarif_file: results.sarif |