Mercurial > p > roundup > code
annotate .github/workflows/anchore.yml @ 6952:4eea63155cff
enable all tests, make test job failure stil run final job.
Even if some jobs fail in the test matrix, still run the final job.
Also run all tests as upload is working now.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Sat, 10 Sep 2022 21:57:45 -0400 |
| parents | 3387f458ed27 |
| children | ca6b056b79a4 |
| rev | line source |
|---|---|
|
6838
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
1 # This workflow uses actions that are not certified by GitHub. |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
2 # They are provided by a third-party and are governed by |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
3 # separate terms of service, privacy policy, and support |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
4 # documentation. |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
5 |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
6 # This workflow checks out code, builds an image, performs a container image |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
7 # vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
8 # code scanning feature. For more information on the Anchore scan action usage |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
9 # and parameters, see https://github.com/anchore/scan-action. For more |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
10 # information on Anchore's container image scanning tool Grype, see |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
11 # https://github.com/anchore/grype |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
12 name: Anchore Container Scan |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
13 |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
14 on: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
15 push: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
16 branches: [ "master" ] |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
17 pull_request: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
18 # The branches below must be a subset of the branches above |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
19 branches: [ "master" ] |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
20 schedule: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
21 - cron: '38 21 * * 6' |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
22 |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
23 permissions: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
24 contents: read |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
25 |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
26 jobs: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
27 Anchore-Build-Scan: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
28 permissions: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
29 contents: read # for actions/checkout to fetch code |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
30 security-events: write # for github/codeql-action/upload-sarif to upload SARIF results |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
31 actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
32 runs-on: ubuntu-latest |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
33 steps: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
34 - name: Checkout the code |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
35 uses: actions/checkout@v3 |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
36 - name: Build the Docker image |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
37 run: docker build . --file scripts/Docker/Dockerfile --tag localbuild/testimage:latest |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
38 - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
39 uses: anchore/scan-action@b08527d5ae7f7dc76f9621edb6e49eaf47933ccd |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
40 with: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
41 image: "localbuild/testimage:latest" |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
42 acs-report-enable: true |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
43 fail-build: false |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
44 - name: Upload Anchore Scan Report |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
45 uses: github/codeql-action/upload-sarif@v2 |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
46 with: |
|
3387f458ed27
add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff
changeset
|
47 sarif_file: results.sarif |