Skip to content

container vulnerability scanning #157

container vulnerability scanning

container vulnerability scanning #157

name: container vulnerability scanning
on:
workflow_dispatch:
workflow_run:
workflows: ["Build and test"]
types:
- completed
branches:
- master
jobs:
vulnerability-scanner:
runs-on: ubuntu-20.04
steps:
- name: Create repo directory before checking out latest code
run: mkdir -p repo
- name: Checkout the latest code
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
ref: master
path: repo
- name: Read JSON file
id: valid-image-json
run: |
EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
echo "images_list<<$EOF" >> $GITHUB_OUTPUT
cat repo/build/valid_images.json >> $GITHUB_OUTPUT
echo "$EOF" >> $GITHUB_OUTPUT
- name: Reading output variable
run: echo ${{fromJson(steps.valid-image-json.outputs.images_list)}}
outputs:
valid_images: ${{steps.valid-image-json.outputs.images_list}}
report-analysis:
runs-on: ubuntu-20.04
needs:
- vulnerability-scanner
strategy:
max-parallel: 3
fail-fast: false
matrix:
images: ${{fromJson(needs.vulnerability-scanner.outputs.valid_images).images}}
steps:
- name: Printing Image Registry
id: image-registry
run: echo "image_registry=${{fromJson(needs.vulnerability-scanner.outputs.valid_images).image_registry}}" >> "$GITHUB_ENV"
- name: Printing Image Tag
id: image-tag
run: echo "image_tag=${{fromJson(needs.vulnerability-scanner.outputs.valid_images).tag}}" >> "$GITHUB_ENV"
- name: Printing Image Path
run: echo "image_path=${{env.image_registry}}/${{matrix.images}}:${{env.image_tag}}" >> "$GITHUB_ENV"
- name: Running vulnerability scanner
uses: anchore/scan-action@v3
id: vulnerability-scanning
with:
image: ${{env.image_path}}
fail-build: false
output-format: json
only-fixed: true
- name: Create repo directory before checking out latest code
run: mkdir -p repo
- name: Checkout the latest code
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
ref: master
path: repo
- name: Parsing vulnerability scanner report
run: go run repo/pkg/tools/grype_report_parser_tool.go -s "High,Critical" -p results.json --github