# This workflow checks out code, re-builds an image from cache, performs a container image # vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub # Advanced Security code scanning feature. # # For more information on the Anchore scan action usage and parameters, see # https://github.com/anchore/scan-action. For more information on Anchore's container # image scanning tool Grype, see https://github.com/anchore/grype. name: "Anchore Grype Vulnerability Scan" on: workflow_call: inputs: cache-key: required: true type: string jobs: scan-image: permissions: contents: read # for actions/checkout to fetch code security-events: write # for github/codeql-action/upload-sarif to upload SARIF results runs-on: ubuntu-22.04 steps: - name: 'Checkout' uses: actions/checkout@v4 # Get the cached build layers from the build job: # This should always be a cache-hit, thus `restore-keys` fallback is not used. # No new cache uploads should ever happen for this job. - name: 'Retrieve image built from build cache' uses: actions/cache@v3 with: path: /tmp/.buildx-cache key: cache-buildx-${{ inputs.cache-key }} # Configures buildx to use `docker-container` driver, # Ensures consistent BuildKit version (not coupled to Docker Engine), # and increased compatibility of the build cache vs mixing buildx drivers. - name: 'Set up Docker Buildx' uses: docker/setup-buildx-action@v3.0.0 # Importing from the cache should create the image within approx 30 seconds: # NOTE: `qemu` step is not needed as we only test for AMD64. - name: 'Build AMD64 image from cache' uses: docker/build-push-action@v5.1.0 with: context: . tags: mailserver-testing:ci # Export the built image to the Docker host for later use: load: true # Rebuilds the AMD64 image from the cache: platforms: linux/amd64 cache-from: type=local,src=/tmp/.buildx-cache # Disable provenance attestation: https://docs.docker.com/build/attestations/slsa-provenance/ provenance: false - name: 'Run the Anchore Grype scan action' uses: anchore/scan-action@v3.4.0 id: scan with: image: mailserver-testing:ci fail-build: false - name: 'Upload vulnerability report' uses: github/codeql-action/upload-sarif@v3 with: sarif_file: ${{ steps.scan.outputs.sarif }}