From 022ac9babb7d92b4ea5775cb0385fcc4101d2ad4 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Fri, 23 Sep 2022 08:51:24 -0400 Subject: [PATCH] Update Anchore Grype scan action workflow --- code-scanning/anchore.yml | 19 ++++++++++--------- .../properties/anchore-syft.properties.json | 2 +- .../properties/anchore.properties.json | 8 ++++---- 3 files changed, 15 insertions(+), 14 deletions(-) diff --git a/code-scanning/anchore.yml b/code-scanning/anchore.yml index a3d2eed..818fb70 100644 --- a/code-scanning/anchore.yml +++ b/code-scanning/anchore.yml @@ -9,7 +9,7 @@ # and parameters, see https://github.com/anchore/scan-action. For more # information on Anchore's container image scanning tool Grype, see # https://github.com/anchore/grype -name: Anchore Container Scan +name: Anchore Grype vulnerability scan on: push: @@ -28,20 +28,21 @@ jobs: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status runs-on: ubuntu-latest steps: - - name: Checkout the code + - name: Check out the code uses: actions/checkout@v3 - name: Build the Docker image run: docker build . --file Dockerfile --tag localbuild/testimage:latest - - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled - uses: anchore/scan-action@b08527d5ae7f7dc76f9621edb6e49eaf47933ccd + - name: Run the Anchore Grype scan action + uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7 + id: scan with: image: "localbuild/testimage:latest" - acs-report-enable: true - fail-build: false - - name: Upload Anchore Scan Report + fail-build: true + severity-cutoff: critical + - name: Upload vulnerability report uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: results.sarif + sarif_file: ${{ steps.scan.outputs.sarif }} diff --git a/code-scanning/properties/anchore-syft.properties.json b/code-scanning/properties/anchore-syft.properties.json index 815f8b2..aa4cb1e 100644 --- a/code-scanning/properties/anchore-syft.properties.json +++ b/code-scanning/properties/anchore-syft.properties.json @@ -1,6 +1,6 @@ { "name": "Anchore Syft SBOM Scan", - "organization": "Anchore", + "creator": "Anchore", "description": "Produce Software Bills of Materials based on Anchore's open source Syft tool.", "iconName": "anchore", "categories": ["Code Scanning", "dockerfile", "dependency-management"] diff --git a/code-scanning/properties/anchore.properties.json b/code-scanning/properties/anchore.properties.json index d997da4..94634dd 100644 --- a/code-scanning/properties/anchore.properties.json +++ b/code-scanning/properties/anchore.properties.json @@ -1,7 +1,7 @@ { - "name": "Anchore Container Scan", - "creator": "Indeni Cloudrail", - "description": "Produce container image vulnerability and compliance reports based on the open-source Anchore container image scanner.", + "name": "Anchore Grype Vulnerability Scan", + "creator": "Anchore", + "description": "Produce source and container vulnerability reports based on Anchore's open source Grype tool.", "iconName": "anchore", "categories": ["Code Scanning", "dockerfile"] -} \ No newline at end of file +}