Skip to content

feat(docker): add support for using external secrets for initialization phase #1634

feat(docker): add support for using external secrets for initialization phase

feat(docker): add support for using external secrets for initialization phase #1634

# Please do not attempt to edit this flow without the direct consent from the DevOps team. This file is managed centrally.
# Contact @moabu
name: Scan Image
on:
push:
branches:
- main
- "!update-pycloud-in-**"
paths:
- "docker-jans-**/**"
- "!**.md"
pull_request:
branches:
- main
- "!update-pycloud-in-**"
paths:
- "docker-jans-**/**"
- "!docker-jans-**/version.txt"
- "!**.md"
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
docker-images: ["auth-server", "certmanager", "config-api", "configurator", "fido2", "persistence-loader", "scim", "monolith", "link", "casa", "all-in-one", "saml", "keycloak-link"]
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Build the Container image
run: docker build ./docker-jans-${{ matrix.docker-images }} --file ./docker-jans-${{ matrix.docker-images }}/Dockerfile --tag localbuild/scanimage:latest
- uses: anchore/scan-action@1c57367e29d11f99ae56571e49f95f1a1991945e # v3.6.3
id: scan
with:
image: "localbuild/scanimage:latest"
output-format: sarif
fail-build: false
- name: Send JSON report
if: github.event_name == 'workflow_dispatch'
run: |
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
grype -v localbuild/scanimage:latest -o json > ${{ matrix.docker-images }}.results.json
curl "https://chat.gluu.org/api/v1/rooms.upload/YNz6rg7eNpngiygkv" \
-F "file=@${{ matrix.docker-images }}.results.json" \
-F "msg=${{ matrix.docker-images }} json report." \
-F "description=Scan detailed JSON report" \
-H "X-Auth-Token: ${{ secrets.MOAUTO_ROCKETCHAT_TOKEN }}" \
-H "X-User-Id: ${{ secrets.MOAUTO_ROCKETCHAT_ID }}"
- name: upload Anchore scan SARIF report
uses: github/codeql-action/upload-sarif@3ab4101902695724f9365a384f86c1074d94e18c # v3.24.7
with:
sarif_file: results.sarif
- uses: azure/container-scan@f9af925b897d8af5f7e0026b8bca9346261abc93 # v0.1
continue-on-error: true
with:
image-name: localbuild/scanimage:latest
run-quality-checks: true
severity-threshold: LOW