Skip to content

Docker security scan #396

Docker security scan

Docker security scan #396

Workflow file for this run

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
# This workflow checks out code, builds an image, performs a container image
# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security
# code scanning feature. For more information on the Anchore scan action usage
# and parameters, see https://github.com/anchore/scan-action. For more
# information on Anchore's container image scanning tool Grype, see
# https://github.com/anchore/grype
name: Docker security scan
on:
push:
branches: [ "develop", "uat", "main" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "develop", "uat", "main" ]
workflow_dispatch:
schedule:
- cron: '00 07 * * *'
permissions:
contents: read
env:
DOCKERFILE: Dockerfile
jobs:
Anchore-Build-Scan:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
steps:
- name: Checkout the code
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 #v3.6.0
- name: Build the Docker image
run: docker build . --file ${{ env.DOCKERFILE }} --tag localbuild/testimage:latest
- name: Run the Anchore Grype scan action
uses: anchore/scan-action@24fd7c9060f3c96848dd1929fac8d796fb5ae4b4 #v3.3.6
id: scan
with:
image: "localbuild/testimage:latest"
fail-build: true
severity-cutoff: "high"
- name: Upload Anchore Scan Report
uses: github/codeql-action/upload-sarif@e4262713b504983e61c7728f5452be240d9385a7 #v2.14.3
if: always()
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
- name: Inspect action SARIF report
if: always()
run: cat ${{ steps.scan.outputs.sarif }}
- name: CVE Description escaped extraction and print
if: always()
run: |
SCAN_RESULTS=$(jq -r 'try .runs[0].tool.driver.rules | map(.shortDescription.text) | join("\\n")' ${{ steps.scan.outputs.sarif }})
echo "SCAN_RESULTS=$SCAN_RESULTS" >> $GITHUB_ENV
echo "CVE_CRITICAL=$(echo $SCAN_RESULTS | grep -o critical | wc -l)" >> $GITHUB_ENV
echo "CVE_HIGH=$(echo $SCAN_RESULTS | grep -o high | wc -l)" >> $GITHUB_ENV
echo "CVE_MEDIUM=$(echo $SCAN_RESULTS | grep -o medium | wc -l)" >> $GITHUB_ENV
echo -e $SCAN_RESULTS
- name: Send notification to Slack
id: slack
if: always() && github.event_name == 'schedule' && steps.scan.outcome == 'failure'
uses: slackapi/slack-github-action@485a9d42d3a73031f12ec201c457e2162c45d02d #v2.0.0
with:
payload: |
blocks:
- type: "header"
text:
type: "plain_text"
text: "${{ github.event.repository.name }} - Notification Scan Result Failed on ${{ github.ref_type }} ${{ github.ref_name }}!"
- type: "section"
text:
type: "mrkdwn"
text: "GitHub Action scan results:\n`CRITICAL`: ${{ env.CVE_CRITICAL }}\n`HIGH`: ${{ env.CVE_HIGH }}\n`MEDIUM`: ${{ env.CVE_MEDIUM }}\n\n<https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}|See execution details on GitHub>"
env:
SLACK_WEBHOOK_URL: ${{ secrets.CVE_SCAN_SLACK_WEBHOOK }}
SLACK_WEBHOOK_TYPE: incoming-webhook