From e837b6d708863be53f043899997e81d3ba62bf2c Mon Sep 17 00:00:00 2001
From: Quentin Kaiser <quentin.kaiser@onekey.com>
Date: Sun, 24 Dec 2023 15:06:00 +0100
Subject: [PATCH] chore(build): add docker container scanning with grype.

---
 .github/workflows/build-publish-image.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/.github/workflows/build-publish-image.yml b/.github/workflows/build-publish-image.yml
index c20a573316..fd962eed74 100644
--- a/.github/workflows/build-publish-image.yml
+++ b/.github/workflows/build-publish-image.yml
@@ -61,6 +61,20 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           outputs: type=image,name=${{ env.DOCKER_IMAGE }},push-by-digest=true,name-canonical=true,push=true
 
+      - name: Docker container vulnerability scan
+        id: scan
+        uses: anchore/scan-action@v3
+        with:
+          image: ${{ env.DOCKER_IMAGE }}
+          fail-build: true
+          severity-cutoff: critical
+          only-fixed: true
+
+      - name: Upload SARIF report
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+
       - name: Check unblob - help
         run: docker run --rm ${{ env.DOCKER_IMAGE }}:latest --help