mirror of
https://github.com/docker-mailserver/docker-mailserver.git
synced 2024-01-19 02:48:50 +00:00
68 lines
2.5 KiB
YAML
68 lines
2.5 KiB
YAML
|
# This workflow checks out code, re-builds an image from cache, performs a container image
|
||
|
# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub
|
||
|
# Advanced Security code scanning feature.
|
||
|
#
|
||
|
# For more information on the Anchore scan action usage and parameters, see
|
||
|
# https://github.com/anchore/scan-action. For more information on Anchore's container
|
||
|
# image scanning tool Grype, see https://github.com/anchore/grype.
|
||
|
name: "Anchore Grype Vulnerability Scan"
|
||
|
|
||
|
on:
|
||
|
workflow_call:
|
||
|
inputs:
|
||
|
cache-key:
|
||
|
required: true
|
||
|
type: string
|
||
|
|
||
|
jobs:
|
||
|
scan-image:
|
||
|
permissions:
|
||
|
contents: read # for actions/checkout to fetch code
|
||
|
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
||
|
runs-on: ubuntu-22.04
|
||
|
steps:
|
||
|
- name: 'Checkout'
|
||
|
uses: actions/checkout@v3
|
||
|
|
||
|
# Get the cached build layers from the build job:
|
||
|
# This should always be a cache-hit, thus `restore-keys` fallback is not used.
|
||
|
# No new cache uploads should ever happen for this job.
|
||
|
- name: 'Retrieve image built from build cache'
|
||
|
uses: actions/cache@v3
|
||
|
with:
|
||
|
path: /tmp/.buildx-cache
|
||
|
key: cache-buildx-${{ inputs.cache-key }}
|
||
|
|
||
|
# Configures buildx to use `docker-container` driver,
|
||
|
# Ensures consistent BuildKit version (not coupled to Docker Engine),
|
||
|
# and increased compatibility of the build cache vs mixing buildx drivers.
|
||
|
- name: 'Set up Docker Buildx'
|
||
|
uses: docker/setup-buildx-action@v2.4.1
|
||
|
|
||
|
# Importing from the cache should create the image within approx 30 seconds:
|
||
|
# NOTE: `qemu` step is not needed as we only test for AMD64.
|
||
|
- name: 'Build AMD64 image from cache'
|
||
|
uses: docker/build-push-action@v4.0.0
|
||
|
with:
|
||
|
context: .
|
||
|
tags: mailserver-testing:ci
|
||
|
# Export the built image to the Docker host for later use:
|
||
|
load: true
|
||
|
# Rebuilds the AMD64 image from the cache:
|
||
|
platforms: linux/amd64
|
||
|
cache-from: type=local,src=/tmp/.buildx-cache
|
||
|
# Disable provenance attestation: https://docs.docker.com/build/attestations/slsa-provenance/
|
||
|
provenance: false
|
||
|
|
||
|
- name: 'Run the Anchore Grype scan action'
|
||
|
uses: anchore/scan-action@v3.3.4
|
||
|
id: scan
|
||
|
with:
|
||
|
image: mailserver-testing:ci
|
||
|
fail-build: false
|
||
|
|
||
|
- name: 'Upload vulnerability report'
|
||
|
uses: github/codeql-action/upload-sarif@v2
|
||
|
with:
|
||
|
sarif_file: ${{ steps.scan.outputs.sarif }}
|