Skip to content

Commit 0198079

Browse files
authored
Add anchore docker image scanning to pipeline (#21)
1 parent 3c4ddd9 commit 0198079

1 file changed

Lines changed: 28 additions & 0 deletions

File tree

.github/workflows/proxy.yml

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,8 @@ name: Docker Image
44

55
# Controls when the action will run.
66
on:
7+
workflow_dispatch:
8+
79
# When a release is published
810
release:
911
types: [published]
@@ -12,11 +14,16 @@ on:
1214
push:
1315
branches:
1416
- main
17+
- enhancement/anchore-scanning
1518
tags-ignore:
1619
- '*.*'
1720
paths-ignore:
1821
- '**/*.md'
1922

23+
permissions:
24+
contents: read
25+
security-events: write
26+
2027
concurrency:
2128
group: ${{ github.workflow }}-${{ github.ref }}
2229
cancel-in-progress: true
@@ -32,11 +39,14 @@ jobs:
3239

3340
steps:
3441
- name: Set tags
42+
id: set-tags
3543
run: |
3644
if [ -z "$TAG" ]; then
3745
echo "TAG=-t openremote/proxy:develop" >> $GITHUB_ENV
46+
echo "dockerImage=openremote/proxy:develop" >> $GITHUB_OUTPUT
3847
else
3948
echo "TAG=-t openremote/proxy:latest -t openremote/proxy:$TAG" >> $GITHUB_ENV
49+
echo "dockerImage=openremote/proxy:$TAG" >> $GITHUB_OUTPUT
4050
fi
4151
env:
4252
TAG: ${{ github.event.release.tag_name }}
@@ -67,3 +77,21 @@ jobs:
6777
- name: build and push images
6878
run: |
6979
docker build --build-arg GIT_COMMIT=${{ github.sha }} --push --platform $PLATFORM $TAG .
80+
81+
- name: Scan manager docker image
82+
uses: anchore/scan-action@3c9a191a0fbab285ca6b8530b5de5a642cba332f # v7.2.2
83+
id: anchore-scan
84+
with:
85+
image: ${{ steps.set-tags.outputs.dockerImage }}
86+
fail-build: false
87+
severity-cutoff: critical
88+
89+
- name: Upload Anchore scan SARIF report
90+
if: ${{ !cancelled() }}
91+
uses: github/codeql-action/upload-sarif@c8e3174949dcd2ceb71718aeaa53fee4dc9052f2 # v4.31.7
92+
with:
93+
sarif_file: ${{ steps.anchore-scan.outputs.sarif }}
94+
95+
- name: Inspect Anchore scan SARIF report
96+
if: ${{ !cancelled() }}
97+
run: cat ${{ steps.anchore-scan.outputs.sarif }}

0 commit comments

Comments
 (0)