2023-02-23 07:53:12 +00:00
|
|
|
# This workflow checks out code, re-builds an image from cache, performs a container image
|
|
|
|
# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub
|
|
|
|
# Advanced Security code scanning feature.
|
|
|
|
#
|
|
|
|
# For more information on the Anchore scan action usage and parameters, see
|
|
|
|
# https://github.com/anchore/scan-action. For more information on Anchore's container
|
|
|
|
# image scanning tool Grype, see https://github.com/anchore/grype.
|
|
|
|
name: "Anchore Grype Vulnerability Scan"
|
|
|
|
|
|
|
|
on:
|
|
|
|
workflow_call:
|
|
|
|
inputs:
|
|
|
|
cache-key:
|
|
|
|
required: true
|
|
|
|
type: string
|
|
|
|
|
|
|
|
jobs:
|
|
|
|
scan-image:
|
|
|
|
permissions:
|
|
|
|
contents: read # for actions/checkout to fetch code
|
|
|
|
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
|
|
|
runs-on: ubuntu-22.04
|
|
|
|
steps:
|
|
|
|
- name: 'Checkout'
|
2023-09-04 15:07:38 +00:00
|
|
|
uses: actions/checkout@v4
|
2023-02-23 07:53:12 +00:00
|
|
|
|
|
|
|
# Get the cached build layers from the build job:
|
|
|
|
# This should always be a cache-hit, thus `restore-keys` fallback is not used.
|
|
|
|
# No new cache uploads should ever happen for this job.
|
|
|
|
- name: 'Retrieve image built from build cache'
|
|
|
|
uses: actions/cache@v3
|
|
|
|
with:
|
|
|
|
path: /tmp/.buildx-cache
|
|
|
|
key: cache-buildx-${{ inputs.cache-key }}
|
|
|
|
|
|
|
|
# Configures buildx to use `docker-container` driver,
|
|
|
|
# Ensures consistent BuildKit version (not coupled to Docker Engine),
|
|
|
|
# and increased compatibility of the build cache vs mixing buildx drivers.
|
|
|
|
- name: 'Set up Docker Buildx'
|
2023-08-28 17:33:05 +00:00
|
|
|
uses: docker/setup-buildx-action@v2.10.0
|
2023-02-23 07:53:12 +00:00
|
|
|
|
|
|
|
# Importing from the cache should create the image within approx 30 seconds:
|
|
|
|
# NOTE: `qemu` step is not needed as we only test for AMD64.
|
|
|
|
- name: 'Build AMD64 image from cache'
|
2023-09-11 16:58:36 +00:00
|
|
|
uses: docker/build-push-action@v4.2.1
|
2023-02-23 07:53:12 +00:00
|
|
|
with:
|
|
|
|
context: .
|
|
|
|
tags: mailserver-testing:ci
|
|
|
|
# Export the built image to the Docker host for later use:
|
|
|
|
load: true
|
|
|
|
# Rebuilds the AMD64 image from the cache:
|
|
|
|
platforms: linux/amd64
|
|
|
|
cache-from: type=local,src=/tmp/.buildx-cache
|
|
|
|
# Disable provenance attestation: https://docs.docker.com/build/attestations/slsa-provenance/
|
|
|
|
provenance: false
|
|
|
|
|
|
|
|
- name: 'Run the Anchore Grype scan action'
|
2023-06-26 18:01:26 +00:00
|
|
|
uses: anchore/scan-action@v3.3.6
|
2023-02-23 07:53:12 +00:00
|
|
|
id: scan
|
|
|
|
with:
|
|
|
|
image: mailserver-testing:ci
|
|
|
|
fail-build: false
|
|
|
|
|
|
|
|
- name: 'Upload vulnerability report'
|
|
|
|
uses: github/codeql-action/upload-sarif@v2
|
|
|
|
with:
|
|
|
|
sarif_file: ${{ steps.scan.outputs.sarif }}
|