-
Notifications
You must be signed in to change notification settings - Fork 410
163 lines (159 loc) · 5.34 KB
/
vulnerability-scanning.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
name: "Vulnerability scan"
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
paths:
- pom.xml
- '**/pom.xml'
- Dockerfile
schedule:
- cron: '0 0 * * MON'
permissions:
contents: read
env:
TEST_IMAGE_NAME: 'local/openrouteservice:test'
jobs:
prepare_environment:
name: Prepare the environment variables
runs-on: ubuntu-latest
outputs:
test_image_name: ${{ env.TEST_IMAGE_NAME }}
steps:
- run: |
echo "Publish environment variables"
Anchore-Jar-War-Build-Scan:
name: Grype scan jar and war file
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '17'
- name: Cache Maven packages
uses: actions/cache@v4
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
- name: Download maven dependencies
run: mvn package -Dmaven.test.skip=true -B dependency:go-offline dependency:resolve-plugins dependency:resolve -q
- name: Build jar and war file
run: |
mvn -B package -DskipTests -DCI=true
# Copy the .jar file to a custom location where grype can find it
mkdir -p ors-api/target/grype
cp ors-api/target/ors.jar ors-api/target/grype/ors.jar
mvn -B package -DskipTests -PbuildWar -DCI=true
cp ors-api/target/ors.war ors-api/target/grype/ors.war
- name: Run the Anchore Grype scan action to console
uses: anchore/scan-action@v3
with:
path: "ors-api/target/grype/"
fail-build: false
output-format: table
- name: Run the Anchore Grype scan action to SARIF
uses: anchore/scan-action@v3
id: scan
with:
path: "ors-api/target/grype/"
fail-build: false
output-format: sarif
- name: Upload vulnerability report
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
category: Grype-War-Scan
Anchore-Docker-Image-Scan:
name: Grype scan ${{ matrix.platform }} image
runs-on: ${{ matrix.image }}
needs:
- prepare_environment
permissions:
actions: read
contents: read
security-events: write
strategy:
matrix:
platform: [ linux/amd64,linux/arm64/v8 ]
image: [ ubuntu-latest ]
# linux/arm64/v8 is emulated with qemu and takes ages to build the graph.
# Only run linux/arm64/v8 tests on ready PR and main.
isDraftPR:
- ${{ github.event_name == 'pull_request' && github.event.pull_request.draft == true }}
exclude:
- isDraftPR: true
platform: linux/arm64/v8
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up QEMU for ${{ matrix.platform }}
uses: docker/setup-qemu-action@v3
with:
platforms: ${{ matrix.platform }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
id: buildx
with:
install: true
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '17'
- name: Cache Maven packages
uses: actions/cache@v4
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
- name: Prepare the maven cache dependencies
run: |
echo "Sync the maven dependencies"
mvn package -Dmaven.test.skip=true -B dependency:go-offline dependency:resolve-plugins dependency:resolve -q
# Replace all RUN mvn with RUN --mount=type=cache,target=/root/.m2 mvn
sed -i 's/RUN mvn /RUN --mount=type=cache,target=\/root\/.m2 mvn /g' Dockerfile
- name: inject maven-build-cache into docker
uses: reproducible-containers/[email protected]
with:
cache-map: |
{
"/home/runner/.m2": "/root/.m2"
}
- name: Build image for ${{ matrix.platform }}
uses: docker/build-push-action@v4
with:
context: .
push: false
load: true
tags: ${{ needs.prepare_environment.outputs.test_image_name }}
platforms: ${{ matrix.platform }}
cache-from: type=gha
- name: Run the Anchore Grype scan action to console
uses: anchore/scan-action@v3
with:
image: ${{ needs.prepare_environment.outputs.test_image_name }}
fail-build: false
output-format: table
- name: Run the Anchore Grype scan action to SARIF
uses: anchore/scan-action@v3
id: scan
with:
image: ${{ needs.prepare_environment.outputs.test_image_name }}
fail-build: false
output-format: sarif
- name: Upload vulnerability report
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
category: Grype-Docker-Image-${{ matrix.platform }}