From 9339fd2821259d33d57bd02b5b98e548d8290e99 Mon Sep 17 00:00:00 2001 From: Eric Bariaux <375613+ebariaux@users.noreply.github.com> Date: Fri, 27 Mar 2026 17:02:50 +0100 Subject: [PATCH 1/4] Add anchore docker image scanning to pipeline --- .github/workflows/proxy.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/.github/workflows/proxy.yml b/.github/workflows/proxy.yml index 6b31c41..8062562 100644 --- a/.github/workflows/proxy.yml +++ b/.github/workflows/proxy.yml @@ -17,6 +17,10 @@ on: paths-ignore: - '**/*.md' +permissions: + contents: read + security-events: write + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -32,11 +36,14 @@ jobs: steps: - name: Set tags + id: set-tags run: | if [ -z "$TAG" ]; then echo "TAG=-t openremote/proxy:develop" >> $GITHUB_ENV + echo "dockerImage=openremote/proxy:develop" >> $GITHUB_OUTPUT else echo "TAG=-t openremote/proxy:latest -t openremote/proxy:$TAG" >> $GITHUB_ENV + echo "dockerImage=openremote/proxy:$TAG" >> $GITHUB_OUTPUT fi env: TAG: ${{ github.event.release.tag_name }} @@ -67,3 +74,21 @@ jobs: - name: build and push images run: | docker build --build-arg GIT_COMMIT=${{ github.sha }} --push --platform $PLATFORM $TAG . + + - name: Scan manager docker image + uses: anchore/scan-action@3c9a191a0fbab285ca6b8530b5de5a642cba332f # v7.2.2 + id: anchore-scan + with: + image: ${{ steps.set-tags.outputs.dockerImage }} + fail-build: false + severity-cutoff: critical + + - name: Upload Anchore scan SARIF report + if: ${{ !cancelled() }} + uses: github/codeql-action/upload-sarif@c8e3174949dcd2ceb71718aeaa53fee4dc9052f2 # v4.31.7 + with: + sarif_file: ${{ steps.anchore-scan.outputs.sarif }} + + - name: Inspect Anchore scan SARIF report + if: ${{ !cancelled() }} + run: cat ${{ steps.anchore-scan.outputs.sarif }} From c1416b52ad870f1cfaf6eda6e9fb152382953460 Mon Sep 17 00:00:00 2001 From: Eric Bariaux <375613+ebariaux@users.noreply.github.com> Date: Mon, 30 Mar 2026 09:38:46 +0200 Subject: [PATCH 2/4] Temporarily trigger in this branch for testing --- .github/workflows/proxy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/proxy.yml b/.github/workflows/proxy.yml index 8062562..2550dfb 100644 --- a/.github/workflows/proxy.yml +++ b/.github/workflows/proxy.yml @@ -12,6 +12,7 @@ on: push: branches: - main + - enhancement/anchore-scanning tags-ignore: - '*.*' paths-ignore: From ef8e42279e871efa2a9a07c30fcffec960992b5d Mon Sep 17 00:00:00 2001 From: Eric Bariaux <375613+ebariaux@users.noreply.github.com> Date: Mon, 30 Mar 2026 09:42:33 +0200 Subject: [PATCH 3/4] Trigger Build From db8c7f26705a87aaa181893c5c005393dc0b4e23 Mon Sep 17 00:00:00 2001 From: Eric Bariaux <375613+ebariaux@users.noreply.github.com> Date: Mon, 30 Mar 2026 09:54:37 +0200 Subject: [PATCH 4/4] Add manual workflow trigger --- .github/workflows/proxy.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/proxy.yml b/.github/workflows/proxy.yml index 2550dfb..d02f372 100644 --- a/.github/workflows/proxy.yml +++ b/.github/workflows/proxy.yml @@ -4,6 +4,8 @@ name: Docker Image # Controls when the action will run. on: + workflow_dispatch: + # When a release is published release: types: [published]