Skip to content
Vulnerability scan

Vulnerability scan #470

Sign in to view logs

Vulnerability scan

Vulnerability scan #470

Workflow file for this run

.github/workflows/vulnerability-scanning.yml at c22b008
name: "Vulnerability scan"
on:
push:
branches: [ "master", "main" ]
pull_request:
branches: [ "master", "main" ]
paths:
- pom.xml
- '**/pom.xml'
- Dockerfile
schedule:
- cron: '0 0 * * MON'
permissions:
contents: read
env:
TEST_IMAGE_NAME: 'local/openrouteservice:test'
jobs:
prepare_environment:
name: Prepare the environment variables
runs-on: ubuntu-latest
outputs:
test_image_name: ${{ env.TEST_IMAGE_NAME }}
steps:
- run: |
echo "Publish environment variables"
Anchore-War-Build-Scan:
name: Grype scan war file
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v3
- uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Set up JDK 17
uses: actions/setup-java@v2
with:
distribution: 'temurin'
java-version: '17'
- name: Cache Maven packages
uses: actions/cache@v2
with:
path: ~/.m2
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2
- name: Build war file
run: |
mvn -B package -DskipTests -DCI=true
# Copy the .war file to a custom location where grype can find it
mkdir -p ors-api/target/grype
cp ors-api/target/ors.war ors-api/target/grype/ors.war
- name: Run the Anchore Grype scan action to console
uses: anchore/scan-action@v3
with:
path: "ors-api/target/grype/"
fail-build: false
output-format: table
- name: Run the Anchore Grype scan action to SARIF
uses: anchore/scan-action@v3
id: scan
with:
path: "ors-api/target/grype/"
fail-build: false
output-format: sarif
- name: Upload vulnerability report
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
category: Grype-War-Scan
Anchore-Docker-Image-Scan:
name: Grype scan ${{ matrix.platform }} image
runs-on: ${{ matrix.image }}
needs:
- prepare_environment
permissions:
actions: read
contents: read
security-events: write
strategy:
matrix:
platform: [ linux/amd64,linux/arm64/v8 ]
image: [ ubuntu-latest ]
# linux/arm64/v8 is emulated with qemu and takes ages to build the graph.
# Only run linux/arm64/v8 tests on ready PR and master.
isDraftPR:
- ${{ github.event_name == 'pull_request' && github.event.pull_request.draft == true }}
exclude:
- isDraftPR: true
platform: linux/arm64/v8
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Set up QEMU for ${{ matrix.platform }}
uses: docker/setup-qemu-action@v2
with:
platforms: ${{ matrix.platform }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
id: buildx
with:
install: true
- name: Build image for ${{ matrix.platform }}
uses: docker/build-push-action@v4
with:
context: .
push: false
load: true
tags: ${{ needs.prepare_environment.outputs.test_image_name }}
platforms: ${{ matrix.platform }}
cache-from: type=gha
- name: Run the Anchore Grype scan action to console
uses: anchore/scan-action@v3
with:
image: ${{ needs.prepare_environment.outputs.test_image_name }}
fail-build: false
output-format: table
- name: Run the Anchore Grype scan action to SARIF
uses: anchore/scan-action@v3
id: scan
with:
image: ${{ needs.prepare_environment.outputs.test_image_name }}
fail-build: false
output-format: sarif
- name: Upload vulnerability report
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
category: Grype-Docker-Image-${{ matrix.platform }}