Mercurial > p > roundup > code

annotate .github/workflows/anchore.yml @ 7481:d397647d8d5a

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add latest fix and update number of changes.
author John Rouillard <rouilj@ieee.org>
date Sun, 11 Jun 2023 23:06:29 -0400
parents 010eb3b00877
children e6cd3f3cd691
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
6838
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
1 # This workflow uses actions that are not certified by GitHub.
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
2 # They are provided by a third-party and are governed by
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
3 # separate terms of service, privacy policy, and support
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
4 # documentation.
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
5
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
6 # This workflow checks out code, builds an image, performs a container image
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
7 # vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
8 # code scanning feature. For more information on the Anchore scan action usage
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
9 # and parameters, see https://github.com/anchore/scan-action. For more
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
10 # information on Anchore's container image scanning tool Grype, see
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
11 # https://github.com/anchore/grype
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
12 name: Anchore Container Scan
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
13
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
14 on:
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
15 push:
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
16 branches: [ "master" ]
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
17 pull_request:
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
18 # The branches below must be a subset of the branches above
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
19 branches: [ "master" ]
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
20 schedule:
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
21 - cron: '38 21 * * 6'
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
22
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
23 permissions:
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
24 contents: read
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
25
6956
ca6b056b79a4 only run on most current push.
John Rouillard <rouilj@ieee.org>
parents: 6838
diff changeset
26 concurrency:
ca6b056b79a4 only run on most current push.
John Rouillard <rouilj@ieee.org>
parents: 6838
diff changeset
27 group: ${{ github.workflow }}-${{ github.ref }}
ca6b056b79a4 only run on most current push.
John Rouillard <rouilj@ieee.org>
parents: 6838
diff changeset
28 cancel-in-progress: true
ca6b056b79a4 only run on most current push.
John Rouillard <rouilj@ieee.org>
parents: 6838
diff changeset
29
6838
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
30 jobs:
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
31 Anchore-Build-Scan:
7194
8dc5b3739367 Prevent github actions from running if commit includes 'no-github-ci'
John Rouillard <rouilj@ieee.org>
parents: 7186
diff changeset
32 if: "!contains(github.event.head_commit.message, 'no-github-ci')"
6838
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
33 permissions:
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
34 contents: read # for actions/checkout to fetch code
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
35 security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
36 actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
37 runs-on: ubuntu-latest
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
38 steps:
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
39 - name: Checkout the code
7273
6bffcc837bf7 Add list of docker to allow checking size.
John Rouillard <rouilj@ieee.org>
parents: 7270
diff changeset
40 uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
6838
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
41 - name: Build the Docker image
7147
7f4d20ebae4a another try. Use same shell that builds roundup image to update base.
John Rouillard <rouilj@ieee.org>
parents: 7146
diff changeset
42 run: docker pull python:3-alpine; docker build . --file scripts/Docker/Dockerfile --tag localbuild/testimage:latest
7273
6bffcc837bf7 Add list of docker to allow checking size.
John Rouillard <rouilj@ieee.org>
parents: 7270
diff changeset
43 - name: List the Docker image
6bffcc837bf7 Add list of docker to allow checking size.
John Rouillard <rouilj@ieee.org>
parents: 7270
diff changeset
44 run: docker image ls
6838
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
45 - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
7244
4c1d62dbcffe Bump anchore/scan-action from 3.3.4 to 3.3.5 - https://github.com/roundup-tracker/roundup/pull/14
John Rouillard <rouilj@ieee.org>
parents: 7236
diff changeset
46 uses: anchore/scan-action@4be3c24559b430723e51858969965e163b196957 # v3.3.5
7044
619563fbe2d3 Fix version identofier for Anchore scan
John Rouillard <rouilj@ieee.org>
parents: 7043
diff changeset
47 id: scan
6838
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
48 with:
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
49 image: "localbuild/testimage:latest"
7116
86dae713d4c6 Try to make anchore failure fail build but upload results
John Rouillard <rouilj@ieee.org>
parents: 7046
diff changeset
50 fail-build: true
6838
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
51 - name: Upload Anchore Scan Report
7116
86dae713d4c6 Try to make anchore failure fail build but upload results
John Rouillard <rouilj@ieee.org>
parents: 7046
diff changeset
52 if: always()
7447
010eb3b00877 Bump github/codeql-action from 2.3.5 to 2.3.6 - https://github.com/roundup-tracker/roundup/pull/35
John Rouillard <rouilj@ieee.org>
parents: 7425
diff changeset
53 uses: github/codeql-action/upload-sarif@83f0fe6c4988d98a455712a27f0255212bba9bd4
010eb3b00877 Bump github/codeql-action from 2.3.5 to 2.3.6 - https://github.com/roundup-tracker/roundup/pull/35
John Rouillard <rouilj@ieee.org>
parents: 7425
diff changeset
54 # v2.3.6
6838
3387f458ed27 add workflow - docker container security check
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
55 with:
7044
619563fbe2d3 Fix version identofier for Anchore scan
John Rouillard <rouilj@ieee.org>
parents: 7043
diff changeset
56 sarif_file: ${{ steps.scan.outputs.sarif }}
619563fbe2d3 Fix version identofier for Anchore scan
John Rouillard <rouilj@ieee.org>
parents: 7043
diff changeset
57 - name: Inspect action SARIF report
7116
86dae713d4c6 Try to make anchore failure fail build but upload results
John Rouillard <rouilj@ieee.org>
parents: 7046
diff changeset
58 if: always()
7044
619563fbe2d3 Fix version identofier for Anchore scan
John Rouillard <rouilj@ieee.org>
parents: 7043
diff changeset
59 run: cat ${{ steps.scan.outputs.sarif }}
Roundup Issue Tracker: http://roundup-tracker.org/