forked from kanisterio/kanister
-
Notifications
You must be signed in to change notification settings - Fork 0
59 lines (57 loc) · 2.14 KB
/
images-vulnerability-scanning.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
name: Images vulnerability scanning
permissions:
contents: read
on:
workflow_call:
inputs:
images_file:
required: true
type: string
jobs:
discover-images:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Read JSON file
id: images-json
## Select images file and print it to the output var
run: |
EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
echo "images_json<<$EOF" >> $GITHUB_OUTPUT
cat ${{ inputs.images_file }} >> $GITHUB_OUTPUT
echo "$EOF" >> $GITHUB_OUTPUT
- name: Showing output variable
run: echo ${{fromJson(steps.images-json.outputs.images_json)}}
outputs:
images-json: ${{steps.images-json.outputs.images_json}}
report-analysis:
runs-on: ubuntu-latest
needs:
- discover-images
strategy:
max-parallel: 3
fail-fast: false
matrix:
images: ${{fromJson(needs.discover-images.outputs.images-json).images}}
name: ${{ matrix.images }}
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Printing Image Registry
id: image-registry
run: echo "image_registry=${{fromJson(needs.discover-images.outputs.images-json).image_registry}}" >> "$GITHUB_ENV"
- name: Printing Image Tag
id: image-tag
run: echo "image_tag=${{fromJson(needs.discover-images.outputs.images-json).tag}}" >> "$GITHUB_ENV"
- name: Printing Image Path
run: echo "image_path=${{env.image_registry}}/${{matrix.images}}:${{env.image_tag}}" >> "$GITHUB_ENV"
- name: Running vulnerability scanner
uses: anchore/scan-action@f2ba85e044c8f5e5014c9a539328a9c78d3bfa49 # v5.2.1
id: vulnerability-scanning
with:
image: ${{env.image_path}}
fail-build: false
output-format: json
only-fixed: true
severity-cutoff: medium
- name: Parsing vulnerability scanner report
run: go run pkg/tools/grype_report_parser_tool.go -s "Medium,High,Critical" -p results.json --github