From b7d5bc4d04102d3ac9e9aadc930fcbb87392afbe Mon Sep 17 00:00:00 2001
From: Oliver Bertuch <o.bertuch@fz-juelich.de>
Date: Mon, 12 Jul 2021 14:55:39 +0200
Subject: [PATCH] ci(container): add Anchor/grype based vuln scan for
 dataverse-k8s image

---
 .github/workflows/ghcr_push_nightly.yml | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/.github/workflows/ghcr_push_nightly.yml b/.github/workflows/ghcr_push_nightly.yml
index a09264e8764..1a82f997e56 100644
--- a/.github/workflows/ghcr_push_nightly.yml
+++ b/.github/workflows/ghcr_push_nightly.yml
@@ -44,6 +44,19 @@ jobs:
             - name: Build images
               run: mvn -Pct package -Dct.build.tag="${IMAGE_TAG}" -Dct.build.registry="${REGISTRY}"
 
+            - name: Scan Dataverse image
+              id: scan
+              uses: anchore/scan-action@v2
+              with:
+                  image: "${{ env.REGISTRY }}/gdcc/dataverse-k8s:${{ env.IMAGE_TAG }}"
+                  # fail-build: true
+                  severity-cutoff: critical
+                  acs-report-enable: true
+            - name: upload Anchore scan SARIF report
+              uses: github/codeql-action/upload-sarif@v1
+              with:
+                  sarif_file: ${{ steps.scan.outputs.sarif }}
+
             - name: Log in to the Container registry
               uses: docker/login-action@v1
               if: ${{ github.event_name == 'push' }}