Skip to content

Avoid Grype DB downloads during subsequent invocations of grype scan-action #325

Avoid Grype DB downloads during subsequent invocations of grype scan-action

Avoid Grype DB downloads during subsequent invocations of grype scan-action #325

name: SCA Docker Test
on:
pull_request:
branches:
- main
push:
branches:
- main
tags:
- '*'
workflow_dispatch: {}
jobs:
test-scan-docker-image:
permissions:
contents: write # publish sbom to GH releases/tag assets
issues: read
checks: write
pull-requests: write
if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
name: Test Scan Docker Image
runs-on: ubuntu-22.04
env:
IMAGE: kong/kong-gateway-dev:latest #particular reason for the choice of image: test multi arch image sbom
steps:
- uses: actions/checkout@v4
- name: Install regctl
uses: regclient/actions/regctl-installer@main
- name: Login to DockerHub
if: success()
uses: docker/login-action@v3
with:
username: ${{ secrets.GHA_DOCKERHUB_PULL_USER }}
password: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUBLIC_TOKEN }}
- name: Parse Architecture Specific Image Manifest Digests
id: image_manifest_metadata
run: |
manifest_list_exists="$(
if regctl manifest get "${IMAGE}" --format raw-body --require-list -v panic &> /dev/null; then
echo true
else
echo false
fi
)"
echo "manifest_list_exists=$manifest_list_exists"
echo "manifest_list_exists=$manifest_list_exists" >> $GITHUB_OUTPUT
amd64_sha="$(regctl image digest "${IMAGE}" --platform linux/amd64 || echo '')"
arm64_sha="$(regctl image digest "${IMAGE}" --platform linux/arm64 || echo '')"
echo "amd64_sha=$amd64_sha"
echo "amd64_sha=$amd64_sha" >> $GITHUB_OUTPUT
echo "arm64_sha=$arm64_sha"
echo "arm64_sha=$arm64_sha" >> $GITHUB_OUTPUT
- name: Scan AMD64 Image digest
id: sbom_action_amd64
if: steps.image_manifest_metadata.outputs.amd64_sha != ''
uses: ./security-actions/scan-docker-image
with:
asset_prefix: kong-gateway-dev-linux-amd64
image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.amd64_sha }}
- name: Scan ARM64 Image digest
if: steps.image_manifest_metadata.outputs.manifest_list_exists == 'true' && steps.image_manifest_metadata.outputs.arm64_sha != ''
id: sbom_action_arm64
uses: ./security-actions/scan-docker-image
with:
asset_prefix: test.kong-gateway-dev-linux-arm64
image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.arm64_sha }}
upload-sbom-release-assets: true