2021-11-19 16:55:27 +01:00
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow checks out code, builds an image, performs a container image
# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security
# code scanning feature. For more information on the Anchore scan action usage
# and parameters, see https://github.com/anchore/scan-action. For more
# information on Anchore's container image scanning tool Grype, see
# https://github.com/anchore/grype
name : Anchore Container Scan
on :
push :
branches : [ $default-branch, $protected-branches ]
pull_request :
# The branches below must be a subset of the branches above
branches : [ $default-branch ]
schedule :
- cron : $cron-weekly
2022-01-31 14:23:00 +05:30
permissions :
contents : read
2021-11-19 16:55:27 +01:00
jobs :
Anchore-Build-Scan :
2022-01-31 14:23:00 +05:30
permissions :
contents : read # for actions/checkout to fetch code
security-events : write # for github/codeql-action/upload-sarif to upload SARIF results
2022-05-31 12:28:16 +02:00
actions : read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github#example-workflow-for-sarif-files-generated-outside-of-a-repository
2021-11-19 16:55:27 +01:00
runs-on : ubuntu-latest
steps :
- name : Checkout the code
2022-03-28 13:10:48 -04:00
uses : actions/checkout@v3
2021-11-19 16:55:27 +01:00
- name : Build the Docker image
run : docker build . --file Dockerfile --tag localbuild/testimage:latest
- name : Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled
uses : anchore/scan-action@b08527d5ae7f7dc76f9621edb6e49eaf47933ccd
with :
image : "localbuild/testimage:latest"
acs-report-enable : true
- name : Upload Anchore Scan Report
2022-03-31 08:24:35 -04:00
uses : github/codeql-action/upload-sarif@v2
2021-11-19 16:55:27 +01:00
with :
2022-01-31 14:23:00 +05:30
sarif_file : results.sarif