Anchore-Grype Security Scans #219
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Anchore-Grype Security Scans | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| # Run this against the default branch every Monday at 5:30AM | |
| - cron: "30 5 * * 2" | |
| permissions: write-all | |
| env: | |
| JDK: 21 | |
| jobs: | |
| scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Setup Java | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: "temurin" | |
| java-version: ${{ env.JDK }} | |
| - name: Setup Gradle | |
| uses: gradle/gradle-build-action@v3 | |
| with: | |
| gradle-version: "8.7" | |
| - name: Setup Environment Variables For Build Process | |
| id: current_version | |
| run: | | |
| # Read Version from gradle.properties | |
| echo "VERSION=`grep '^version=' gradle.properties | cut -d'=' -f2`" >> $GITHUB_ENV | |
| # Stable | |
| echo "Github Ref is $GITHUB_REF" | |
| echo "BRANCH=main" >> $GITHUB_ENV | |
| # Snapshot | |
| if [ $GITHUB_REF == 'refs/heads/development' ] | |
| then | |
| echo "BRANCH=development" >> $GITHUB_ENV | |
| fi | |
| - name: Build it! | |
| run: gradle clean jar | |
| - name: Scan generated packages | |
| uses: anchore/scan-action@v3 | |
| id: securityscan | |
| with: | |
| path: "./build/libs" | |
| output-format: table | |
| fail-build: true | |
| # - name: Upload Anchore Report | |
| # uses: github/codeql-action/upload-sarif@v2 | |
| # with: | |
| # sarif_file: ${{ steps.imagescan.outputs.sarif }} | |
| # category: "BoxLang-Runtime-${{ github.env.BRANCH }}" |