try this logic #83
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Last applied at: Wed, 12 Feb 2025 02:55:39 GMT | |
| # DevOps Shield - The ultimate DevSecOps platform designed to secure your DevOps. | |
| # https://devopsshield.com | |
| ############################################################## | |
| # This is a DevOps Shield - Application Security - Code Security Template. | |
| # This workflow template uses actions that are not certified by DevOps Shield. | |
| # They are provided by a third-party and are governed by separate terms of service, privacy policy, and support documentation. | |
| # Use this workflow template for integrating code security into your pipelines and workflows. | |
| # DevOps Shield Workflow Template Details: | |
| # ------------------------------------------------------------ | |
| # Code: GH_CIS_ANCHORE_GRYPE | |
| # Name: Anchore Grype Vulnerability Scan (Container Image Scanning) | |
| # DevSecOpsControls: CIS | |
| # Provider: Anchore | |
| # Categories: Code Scanning, Dockerfile | |
| # Description: | |
| # Anchore Grype is a vulnerability scanner for container images and filesystems. | |
| # Scan the contents of a container image or filesystem to find known vulnerabilities. | |
| # Anchore container analysis and scan provided as a GitHub Action. | |
| # This workflow checks out code, builds an image, performs a container image vulnerability scan with Anchore's Grype tool, | |
| # and integrates the results with GitHub Advanced Security code scanning feature. | |
| # Read the official documentation to find out more. | |
| # For more information: | |
| # https://github.com/anchore/grype | |
| # ------------------------------------------------------------ | |
| # Source repository: https://github.com/anchore/scan-action | |
| ############################################################## | |
| name: Anchore Grype Vulnerability Scan (Container Image Scanning) | |
| on: | |
| push: | |
| branches: [master] | |
| pull_request: | |
| branches: [master] | |
| schedule: | |
| - cron: 0 0 * * 0 | |
| env: | |
| fail-build: false # Set to true to fail the build if vulnerabilities are found | |
| imageName: "localbuild/testimage" | |
| tag: "latest" | |
| jobs: | |
| anchore-grype-scan: | |
| name: Anchore Grype Vulnerability Scan | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read # for actions/checkout to fetch code | |
| security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
| actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Build an image from Dockerfile | |
| uses: docker/build-push-action@v4 | |
| with: | |
| tags: "${{ env.imageName }}:${{ env.tag }}" | |
| push: false | |
| load: true | |
| - name: Run the Anchore Grype scan action | |
| uses: anchore/scan-action@v6 | |
| id: scan | |
| with: | |
| image: "${{ env.imageName }}:${{ env.tag }}" | |
| fail-build: ${{ env.fail-build }} | |
| severity-cutoff: critical | |
| - name: Upload Anchore vulnerability report to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: ${{ steps.scan.outputs.sarif }} |