-
Notifications
You must be signed in to change notification settings - Fork 410
136 lines (132 loc) · 4.14 KB
/
vulnerability-scanning.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: "Vulnerability scan"
on:
push:
branches: [ "master", "main" ]
pull_request:
branches: [ "master", "main" ]
paths:
- pom.xml
- '**/pom.xml'
- Dockerfile
schedule:
- cron: '0 0 * * MON'
permissions:
contents: read
env:
TEST_IMAGE_NAME: 'local/openrouteservice:test'
jobs:
prepare_environment:
name: Prepare the environment variables
runs-on: ubuntu-latest
outputs:
test_image_name: ${{ env.TEST_IMAGE_NAME }}
steps:
- run: |
echo "Publish environment variables"
Anchore-War-Build-Scan:
name: Grype scan war file
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v3
- uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Set up JDK 17
uses: actions/setup-java@v2
with:
distribution: 'temurin'
java-version: '17'
- name: Cache Maven packages
uses: actions/cache@v2
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
- name: Build war file
run: |
mvn -B package -DskipTests -DCI=true
# Copy the .war file to a custom location where grype can find it
mkdir -p ors-api/target/grype
cp ors-api/target/ors.war ors-api/target/grype/ors.war
- name: Run the Anchore Grype scan action to console
uses: anchore/scan-action@v3
with:
path: "ors-api/target/grype/"
fail-build: false
output-format: table
- name: Run the Anchore Grype scan action to SARIF
uses: anchore/scan-action@v3
id: scan
with:
path: "ors-api/target/grype/"
fail-build: false
output-format: sarif
- name: Upload vulnerability report
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
category: Grype-War-Scan
Anchore-Docker-Image-Scan:
name: Grype scan ${{ matrix.platform }} image
runs-on: ${{ matrix.image }}
needs:
- prepare_environment
permissions:
actions: read
contents: read
security-events: write
strategy:
matrix:
platform: [ linux/amd64,linux/arm64/v8 ]
image: [ ubuntu-latest ]
# linux/arm64/v8 is emulated with qemu and takes ages to build the graph.
# Only run linux/arm64/v8 tests on ready PR and master.
isDraftPR:
- ${{ github.event_name == 'pull_request' && github.event.pull_request.draft == true }}
exclude:
- isDraftPR: true
platform: linux/arm64/v8
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Set up QEMU for ${{ matrix.platform }}
uses: docker/setup-qemu-action@v2
with:
platforms: ${{ matrix.platform }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
id: buildx
with:
install: true
- name: Build image for ${{ matrix.platform }}
uses: docker/build-push-action@v4
with:
context: .
push: false
load: true
tags: ${{ needs.prepare_environment.outputs.test_image_name }}
platforms: ${{ matrix.platform }}
cache-from: type=gha
- name: Run the Anchore Grype scan action to console
uses: anchore/scan-action@v3
with:
image: ${{ needs.prepare_environment.outputs.test_image_name }}
fail-build: false
output-format: table
- name: Run the Anchore Grype scan action to SARIF
uses: anchore/scan-action@v3
id: scan
with:
image: ${{ needs.prepare_environment.outputs.test_image_name }}
fail-build: false
output-format: sarif
- name: Upload vulnerability report
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
category: Grype-Docker-Image-${{ matrix.platform }}