Mercurial > p > roundup > code


  
6838


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     1 # This workflow uses actions that are not certified by GitHub.


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     2 # They are provided by a third-party and are governed by


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     3 # separate terms of service, privacy policy, and support


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     4 # documentation.


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     5 


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     6 # This workflow checks out code, builds an image, performs a container image


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     7 # vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     8 # code scanning feature.  For more information on the Anchore scan action usage


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     9 # and parameters, see https://github.com/anchore/scan-action. For more


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    10 # information on Anchore's container image scanning tool Grype, see


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    11 # https://github.com/anchore/grype


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    12 name: Anchore Container Scan


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    13 


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    14 on:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    15   push:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    16     branches: [ "master" ]


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    17   pull_request:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    18     # The branches below must be a subset of the branches above


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    19     branches: [ "master" ]


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    20   schedule:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    21     - cron: '38 21 * * 6'


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    22 


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    23 permissions:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    24   contents: read


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    25 


6956


ca6b056b79a4
only run on most current push.

John Rouillard <rouilj@ieee.org>
parents: 
6838
diff
changeset


    26 concurrency:


ca6b056b79a4
only run on most current push.

John Rouillard <rouilj@ieee.org>
parents: 
6838
diff
changeset


    27   group: ${{ github.workflow }}-${{ github.ref }}


ca6b056b79a4
only run on most current push.

John Rouillard <rouilj@ieee.org>
parents: 
6838
diff
changeset


    28   cancel-in-progress: true


ca6b056b79a4
only run on most current push.

John Rouillard <rouilj@ieee.org>
parents: 
6838
diff
changeset


    29 


6838


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    30 jobs:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    31   Anchore-Build-Scan:


7194


8dc5b3739367
Prevent github actions from running if commit includes 'no-github-ci'

John Rouillard <rouilj@ieee.org>
parents: 
7186
diff
changeset


    32     if: "!contains(github.event.head_commit.message, 'no-github-ci')"


6838


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    33     permissions:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    34       contents: read # for actions/checkout to fetch code


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    35       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    36       actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    37     runs-on: ubuntu-latest


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    38     steps:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    39     - name: Checkout the code


7641


bdc81c1e2eec
build(deps): bump actions/checkout from 4.0.0 to 4.1.0 - https://github.com/roundup-tracker/roundup/pull/50

John Rouillard <rouilj@ieee.org>
parents: 
7617
diff
changeset


    40       uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0


6838


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    41     - name: Build the Docker image


7147


7f4d20ebae4a
another try. Use same shell that builds roundup image to update base.

John Rouillard <rouilj@ieee.org>
parents: 
7146
diff
changeset


    42       run: docker pull python:3-alpine; docker build . --file scripts/Docker/Dockerfile --tag localbuild/testimage:latest


7273


6bffcc837bf7
Add list of docker to allow checking size.

John Rouillard <rouilj@ieee.org>
parents: 
7270
diff
changeset


    43     - name: List the Docker image


6bffcc837bf7
Add list of docker to allow checking size.

John Rouillard <rouilj@ieee.org>
parents: 
7270
diff
changeset


    44       run: docker image ls


6838


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    45     - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled


7515


6dc7b1f1451c
Bump anchore/scan-action from 3.3.5 to 3.3.6 - https://github.com/roundup-tracker/roundup/pull/43

John Rouillard <rouilj@ieee.org>
parents: 
7486
diff
changeset


    46       uses: anchore/scan-action@24fd7c9060f3c96848dd1929fac8d796fb5ae4b4 # v3.3.6


7044


619563fbe2d3
Fix version identofier for Anchore scan

John Rouillard <rouilj@ieee.org>
parents: 
7043
diff
changeset


    47       id: scan


6838


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    48       with:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    49         image: "localbuild/testimage:latest"


7116


86dae713d4c6
Try to make anchore failure fail build but upload results

John Rouillard <rouilj@ieee.org>
parents: 
7046
diff
changeset


    50         fail-build: true


6838


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    51     - name: Upload Anchore Scan Report


7116


86dae713d4c6
Try to make anchore failure fail build but upload results

John Rouillard <rouilj@ieee.org>
parents: 
7046
diff
changeset


    52       if: always()


7486


0b4028a75705
Bump github/codeql-action from 2.3.6 to 2.13.4 - https://github.com/roundup-tracker/roundup/pull/38

John Rouillard <rouilj@ieee.org>
parents: 
7485
diff
changeset


    53       uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a


0b4028a75705
Bump github/codeql-action from 2.3.6 to 2.13.4 - https://github.com/roundup-tracker/roundup/pull/38

John Rouillard <rouilj@ieee.org>
parents: 
7485
diff
changeset


    54   # v2.13.4


6838


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    55       with:


7044


619563fbe2d3
Fix version identofier for Anchore scan

John Rouillard <rouilj@ieee.org>
parents: 
7043
diff
changeset


    56         sarif_file: ${{ steps.scan.outputs.sarif }}


619563fbe2d3
Fix version identofier for Anchore scan

John Rouillard <rouilj@ieee.org>
parents: 
7043
diff
changeset


    57     - name: Inspect action SARIF report


7116


86dae713d4c6
Try to make anchore failure fail build but upload results

John Rouillard <rouilj@ieee.org>
parents: 
7046
diff
changeset


    58       if: always()


7044


619563fbe2d3
Fix version identofier for Anchore scan

John Rouillard <rouilj@ieee.org>
parents: 
7043
diff
changeset


    59       run: cat ${{ steps.scan.outputs.sarif }}
author	John Rouillard <rouilj@ieee.org>
date	Fri, 06 Oct 2023 09:53:22 -0400
parents	d88bdaeecbec
children	a17d0abfb212
rev	line source
6838 3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	1 # This workflow uses actions that are not certified by GitHub.
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	2 # They are provided by a third-party and are governed by
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	3 # separate terms of service, privacy policy, and support
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	4 # documentation.
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	5
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	6 # This workflow checks out code, builds an image, performs a container image
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	7 # vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	8 # code scanning feature. For more information on the Anchore scan action usage
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	9 # and parameters, see https://github.com/anchore/scan-action. For more
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	10 # information on Anchore's container image scanning tool Grype, see
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	11 # https://github.com/anchore/grype
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	12 name: Anchore Container Scan
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	13
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	14 on:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	15 push:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	16 branches: [ "master" ]
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	17 pull_request:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	18 # The branches below must be a subset of the branches above
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	19 branches: [ "master" ]
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	20 schedule:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	21 - cron: '38 21 * * 6'
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	22
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	23 permissions:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	24 contents: read
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	25
6956 ca6b056b79a4 only run on most current push. John Rouillard <rouilj@ieee.org> parents: 6838 diff changeset	26 concurrency:
ca6b056b79a4 only run on most current push. John Rouillard <rouilj@ieee.org> parents: 6838 diff changeset	27 group: ${{ github.workflow }}-${{ github.ref }}
ca6b056b79a4 only run on most current push. John Rouillard <rouilj@ieee.org> parents: 6838 diff changeset	28 cancel-in-progress: true
ca6b056b79a4 only run on most current push. John Rouillard <rouilj@ieee.org> parents: 6838 diff changeset	29
6838 3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	30 jobs:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	31 Anchore-Build-Scan:
7194 8dc5b3739367 Prevent github actions from running if commit includes 'no-github-ci' John Rouillard <rouilj@ieee.org> parents: 7186 diff changeset	32 if: "!contains(github.event.head_commit.message, 'no-github-ci')"
6838 3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	33 permissions:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	34 contents: read # for actions/checkout to fetch code
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	35 security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	36 actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	37 runs-on: ubuntu-latest
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	38 steps:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	39 - name: Checkout the code
7641 bdc81c1e2eec build(deps): bump actions/checkout from 4.0.0 to 4.1.0 - https://github.com/roundup-tracker/roundup/pull/50 John Rouillard <rouilj@ieee.org> parents: 7617 diff changeset	40 uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
6838 3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	41 - name: Build the Docker image
7147 7f4d20ebae4a another try. Use same shell that builds roundup image to update base. John Rouillard <rouilj@ieee.org> parents: 7146 diff changeset	42 run: docker pull python:3-alpine; docker build . --file scripts/Docker/Dockerfile --tag localbuild/testimage:latest
7273 6bffcc837bf7 Add list of docker to allow checking size. John Rouillard <rouilj@ieee.org> parents: 7270 diff changeset	43 - name: List the Docker image
6bffcc837bf7 Add list of docker to allow checking size. John Rouillard <rouilj@ieee.org> parents: 7270 diff changeset	44 run: docker image ls
6838 3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	45 - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
7515 6dc7b1f1451c Bump anchore/scan-action from 3.3.5 to 3.3.6 - https://github.com/roundup-tracker/roundup/pull/43 John Rouillard <rouilj@ieee.org> parents: 7486 diff changeset	46 uses: anchore/scan-action@24fd7c9060f3c96848dd1929fac8d796fb5ae4b4 # v3.3.6
7044 619563fbe2d3 Fix version identofier for Anchore scan John Rouillard <rouilj@ieee.org> parents: 7043 diff changeset	47 id: scan
6838 3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	48 with:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	49 image: "localbuild/testimage:latest"
7116 86dae713d4c6 Try to make anchore failure fail build but upload results John Rouillard <rouilj@ieee.org> parents: 7046 diff changeset	50 fail-build: true
6838 3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	51 - name: Upload Anchore Scan Report
7116 86dae713d4c6 Try to make anchore failure fail build but upload results John Rouillard <rouilj@ieee.org> parents: 7046 diff changeset	52 if: always()
7486 0b4028a75705 Bump github/codeql-action from 2.3.6 to 2.13.4 - https://github.com/roundup-tracker/roundup/pull/38 John Rouillard <rouilj@ieee.org> parents: 7485 diff changeset	53 uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a
0b4028a75705 Bump github/codeql-action from 2.3.6 to 2.13.4 - https://github.com/roundup-tracker/roundup/pull/38 John Rouillard <rouilj@ieee.org> parents: 7485 diff changeset	54 # v2.13.4
6838 3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	55 with:
7044 619563fbe2d3 Fix version identofier for Anchore scan John Rouillard <rouilj@ieee.org> parents: 7043 diff changeset	56 sarif_file: ${{ steps.scan.outputs.sarif }}
619563fbe2d3 Fix version identofier for Anchore scan John Rouillard <rouilj@ieee.org> parents: 7043 diff changeset	57 - name: Inspect action SARIF report
7116 86dae713d4c6 Try to make anchore failure fail build but upload results John Rouillard <rouilj@ieee.org> parents: 7046 diff changeset	58 if: always()
7044 619563fbe2d3 Fix version identofier for Anchore scan John Rouillard <rouilj@ieee.org> parents: 7043 diff changeset	59 run: cat ${{ steps.scan.outputs.sarif }}