docker-mailserver/.github/workflows/generic_vulnerability-scan.yml

68 lines
2.5 KiB
YAML
Raw Normal View History

# This workflow checks out code, re-builds an image from cache, performs a container image
# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub
# Advanced Security code scanning feature.
#
# For more information on the Anchore scan action usage and parameters, see
# https://github.com/anchore/scan-action. For more information on Anchore's container
# image scanning tool Grype, see https://github.com/anchore/grype.
name: "Anchore Grype Vulnerability Scan"
on:
workflow_call:
inputs:
cache-key:
required: true
type: string
jobs:
scan-image:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-22.04
steps:
- name: 'Checkout'
uses: actions/checkout@v4
# Get the cached build layers from the build job:
# This should always be a cache-hit, thus `restore-keys` fallback is not used.
# No new cache uploads should ever happen for this job.
- name: 'Retrieve image built from build cache'
uses: actions/cache@v3
with:
path: /tmp/.buildx-cache
key: cache-buildx-${{ inputs.cache-key }}
# Configures buildx to use `docker-container` driver,
# Ensures consistent BuildKit version (not coupled to Docker Engine),
# and increased compatibility of the build cache vs mixing buildx drivers.
- name: 'Set up Docker Buildx'
uses: docker/setup-buildx-action@v2.10.0
# Importing from the cache should create the image within approx 30 seconds:
# NOTE: `qemu` step is not needed as we only test for AMD64.
- name: 'Build AMD64 image from cache'
uses: docker/build-push-action@v4.2.1
with:
context: .
tags: mailserver-testing:ci
# Export the built image to the Docker host for later use:
load: true
# Rebuilds the AMD64 image from the cache:
platforms: linux/amd64
cache-from: type=local,src=/tmp/.buildx-cache
# Disable provenance attestation: https://docs.docker.com/build/attestations/slsa-provenance/
provenance: false
- name: 'Run the Anchore Grype scan action'
uses: anchore/scan-action@v3.3.6
id: scan
with:
image: mailserver-testing:ci
fail-build: false
- name: 'Upload vulnerability report'
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.scan.outputs.sarif }}