Files
starter-workflows/code-scanning/sysdig-scan.yml
T
2021-09-16 10:47:05 +02:00

44 lines
1.1 KiB
YAML

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: Sysdig - Build, scan, push and upload sarif report
on:
push:
branches: [ $default-branch, $protected-branches ]
pull_request:
branches: [ $default-branch ]
schedule:
- cron: $cron-weekly
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- name: Build the Docker image
run: docker build . --file Dockerfile --tag ${{ github.head_ref }}:latest
- name: Sysdig Secure Inline Scan
id: scan
uses: sysdiglabs/scan-action@v3
with:
# Tag of the image to analyse
image-tag: "${{ github.head_ref }}:latest"
# API token for Sysdig Scanning auth
sysdig-secure-token: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
dockerfile-path: ./Dockerfile
input-type: docker-daemon
ignore-failed-scan: true
- uses: github/codeql-action/upload-sarif@v1
if: always()
with:
sarif_file: ${{ steps.scan.outputs.sarifReport }