# This workflow uses actions that are not certified by GitHub. # They are provided by a third-party and are governed by # separate terms of service, privacy policy, and support # documentation. # This workflow checks out code, builds an image, performs a container image # vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security # code scanning feature. For more information on the Anchore scan action usage # and parameters, see https://github.com/anchore/scan-action. For more # information on Anchore's container image scanning tool Grype, see # https://github.com/anchore/grype name: Anchore Container Scan on: push: branches: [ $default-branch, $protected-branches ] pull_request: # The branches below must be a subset of the branches above branches: [ $default-branch ] schedule: - cron: $cron-weekly jobs: Anchore-Build-Scan: runs-on: ubuntu-latest steps: - name: Checkout the code uses: actions/checkout@v2 - name: Build the Docker image run: docker build . --file Dockerfile --tag localbuild/testimage:latest - name: Run the Anchore scan action itself with GitHub Advanced Security code scanning integration enabled uses: anchore/scan-action@b08527d5ae7f7dc76f9621edb6e49eaf47933ccd with: image: "localbuild/testimage:latest" acs-report-enable: true - name: Upload Anchore Scan Report uses: github/codeql-action/upload-sarif@v1 with: sarif_file: results.sarif