Mercurial > p > roundup > code


  
6838


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     1 # This workflow uses actions that are not certified by GitHub.


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     2 # They are provided by a third-party and are governed by


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     3 # separate terms of service, privacy policy, and support


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     4 # documentation.


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     5 


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     6 # This workflow checks out code, builds an image, performs a container image


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     7 # vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     8 # code scanning feature.  For more information on the Anchore scan action usage


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


     9 # and parameters, see https://github.com/anchore/scan-action. For more


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    10 # information on Anchore's container image scanning tool Grype, see


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    11 # https://github.com/anchore/grype


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    12 name: Anchore Container Scan


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    13 


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    14 on:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    15   push:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    16     branches: [ "master" ]


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    17   pull_request:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    18     # The branches below must be a subset of the branches above


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    19     branches: [ "master" ]


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    20   schedule:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    21     - cron: '38 21 * * 6'


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    22 


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    23 permissions:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    24   contents: read


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    25 


6956


ca6b056b79a4
only run on most current push.

John Rouillard <rouilj@ieee.org>
parents: 
6838
diff
changeset


    26 concurrency:


ca6b056b79a4
only run on most current push.

John Rouillard <rouilj@ieee.org>
parents: 
6838
diff
changeset


    27   group: ${{ github.workflow }}-${{ github.ref }}


ca6b056b79a4
only run on most current push.

John Rouillard <rouilj@ieee.org>
parents: 
6838
diff
changeset


    28   cancel-in-progress: true


ca6b056b79a4
only run on most current push.

John Rouillard <rouilj@ieee.org>
parents: 
6838
diff
changeset


    29 


6838


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    30 jobs:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    31   Anchore-Build-Scan:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    32     permissions:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    33       contents: read # for actions/checkout to fetch code


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    34       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    35       actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status 


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    36     runs-on: ubuntu-latest


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    37     steps:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    38     - name: Checkout the code


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    39       uses: actions/checkout@v3


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    40     - name: Build the Docker image


7147


7f4d20ebae4a
another try. Use same shell that builds roundup image to update base.

John Rouillard <rouilj@ieee.org>
parents: 
7146
diff
changeset


    41       run: docker pull python:3-alpine; docker build . --file scripts/Docker/Dockerfile --tag localbuild/testimage:latest


6838


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    42     - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled


7044


619563fbe2d3
Fix version identofier for Anchore scan

John Rouillard <rouilj@ieee.org>
parents: 
7043
diff
changeset


    43       uses: anchore/scan-action@v3


619563fbe2d3
Fix version identofier for Anchore scan

John Rouillard <rouilj@ieee.org>
parents: 
7043
diff
changeset


    44       id: scan


6838


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    45       with:


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    46         image: "localbuild/testimage:latest"


7116


86dae713d4c6
Try to make anchore failure fail build but upload results

John Rouillard <rouilj@ieee.org>
parents: 
7046
diff
changeset


    47         fail-build: true


6838


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    48     - name: Upload Anchore Scan Report


7116


86dae713d4c6
Try to make anchore failure fail build but upload results

John Rouillard <rouilj@ieee.org>
parents: 
7046
diff
changeset


    49       if: always()


6838


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    50       uses: github/codeql-action/upload-sarif@v2


3387f458ed27
add workflow - docker container security check

John Rouillard <rouilj@ieee.org>
parents: 
diff
changeset


    51       with:


7044


619563fbe2d3
Fix version identofier for Anchore scan

John Rouillard <rouilj@ieee.org>
parents: 
7043
diff
changeset


    52         sarif_file: ${{ steps.scan.outputs.sarif }}


619563fbe2d3
Fix version identofier for Anchore scan

John Rouillard <rouilj@ieee.org>
parents: 
7043
diff
changeset


    53     - name: Inspect action SARIF report


7116


86dae713d4c6
Try to make anchore failure fail build but upload results

John Rouillard <rouilj@ieee.org>
parents: 
7046
diff
changeset


    54       if: always()


7044


619563fbe2d3
Fix version identofier for Anchore scan

John Rouillard <rouilj@ieee.org>
parents: 
7043
diff
changeset


    55       run: cat ${{ steps.scan.outputs.sarif }}
author	John Rouillard <rouilj@ieee.org>
date	Wed, 15 Feb 2023 18:50:53 -0500
parents	572d1a9f875c
children	cc49ac11850f
rev	line source
6838 3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	1 # This workflow uses actions that are not certified by GitHub.
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	2 # They are provided by a third-party and are governed by
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	3 # separate terms of service, privacy policy, and support
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	4 # documentation.
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	5
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	6 # This workflow checks out code, builds an image, performs a container image
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	7 # vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	8 # code scanning feature. For more information on the Anchore scan action usage
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	9 # and parameters, see https://github.com/anchore/scan-action. For more
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	10 # information on Anchore's container image scanning tool Grype, see
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	11 # https://github.com/anchore/grype
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	12 name: Anchore Container Scan
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	13
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	14 on:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	15 push:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	16 branches: [ "master" ]
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	17 pull_request:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	18 # The branches below must be a subset of the branches above
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	19 branches: [ "master" ]
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	20 schedule:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	21 - cron: '38 21 * * 6'
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	22
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	23 permissions:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	24 contents: read
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	25
6956 ca6b056b79a4 only run on most current push. John Rouillard <rouilj@ieee.org> parents: 6838 diff changeset	26 concurrency:
ca6b056b79a4 only run on most current push. John Rouillard <rouilj@ieee.org> parents: 6838 diff changeset	27 group: ${{ github.workflow }}-${{ github.ref }}
ca6b056b79a4 only run on most current push. John Rouillard <rouilj@ieee.org> parents: 6838 diff changeset	28 cancel-in-progress: true
ca6b056b79a4 only run on most current push. John Rouillard <rouilj@ieee.org> parents: 6838 diff changeset	29
6838 3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	30 jobs:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	31 Anchore-Build-Scan:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	32 permissions:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	33 contents: read # for actions/checkout to fetch code
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	34 security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	35 actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	36 runs-on: ubuntu-latest
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	37 steps:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	38 - name: Checkout the code
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	39 uses: actions/checkout@v3
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	40 - name: Build the Docker image
7147 7f4d20ebae4a another try. Use same shell that builds roundup image to update base. John Rouillard <rouilj@ieee.org> parents: 7146 diff changeset	41 run: docker pull python:3-alpine; docker build . --file scripts/Docker/Dockerfile --tag localbuild/testimage:latest
6838 3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	42 - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
7044 619563fbe2d3 Fix version identofier for Anchore scan John Rouillard <rouilj@ieee.org> parents: 7043 diff changeset	43 uses: anchore/scan-action@v3
619563fbe2d3 Fix version identofier for Anchore scan John Rouillard <rouilj@ieee.org> parents: 7043 diff changeset	44 id: scan
6838 3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	45 with:
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	46 image: "localbuild/testimage:latest"
7116 86dae713d4c6 Try to make anchore failure fail build but upload results John Rouillard <rouilj@ieee.org> parents: 7046 diff changeset	47 fail-build: true
6838 3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	48 - name: Upload Anchore Scan Report
7116 86dae713d4c6 Try to make anchore failure fail build but upload results John Rouillard <rouilj@ieee.org> parents: 7046 diff changeset	49 if: always()
6838 3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	50 uses: github/codeql-action/upload-sarif@v2
3387f458ed27 add workflow - docker container security check John Rouillard <rouilj@ieee.org> parents: diff changeset	51 with:
7044 619563fbe2d3 Fix version identofier for Anchore scan John Rouillard <rouilj@ieee.org> parents: 7043 diff changeset	52 sarif_file: ${{ steps.scan.outputs.sarif }}
619563fbe2d3 Fix version identofier for Anchore scan John Rouillard <rouilj@ieee.org> parents: 7043 diff changeset	53 - name: Inspect action SARIF report
7116 86dae713d4c6 Try to make anchore failure fail build but upload results John Rouillard <rouilj@ieee.org> parents: 7046 diff changeset	54 if: always()
7044 619563fbe2d3 Fix version identofier for Anchore scan John Rouillard <rouilj@ieee.org> parents: 7043 diff changeset	55 run: cat ${{ steps.scan.outputs.sarif }}