-
Notifications
You must be signed in to change notification settings - Fork 10
109 lines (109 loc) · 3.66 KB
/
anchore.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
name: Anchore security scan
on:
push:
branches:
- develop
pull_request:
types: [opened, synchronize, reopened]
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout project
uses: actions/checkout@v4
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '17'
- name: Assemble project
uses: gradle/gradle-build-action@v2
with:
arguments: assemble
- name: Upload jars artifacts
uses: actions/upload-artifact@v3
with:
name: jars
path: |
api-gateway/build/libs
search-service/build/libs
subscription-service/build/libs
anchore:
runs-on: ubuntu-latest
needs: build
steps:
- name: Checkout project
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Download jars artifacts
uses: actions/download-artifact@v3
with:
name: jars
path: build
- name: Build API Gateway local container
uses: docker/build-push-action@v5
with:
context: .
file: ./api-gateway/Dockerfile
tags: localbuild/api-gateway:latest-scan
push: false
load: true
build-args: |
JAR_FILE=./build/api-gateway/build/libs/api-gateway-latest-dev.jar
- name: Build Search Service local container
uses: docker/build-push-action@v5
with:
context: .
file: ./search-service/Dockerfile
tags: localbuild/search-service:latest-scan
push: false
load: true
build-args: |
JAR_FILE=./build/search-service/build/libs/search-service-latest-dev.jar
- name: Build Subscription Service local container
uses: docker/build-push-action@v5
with:
context: .
file: ./subscription-service/Dockerfile
tags: localbuild/subscription-service:latest-scan
push: false
load: true
build-args: |
JAR_FILE=./build/subscription-service/build/libs/subscription-service-latest-dev.jar
- name: Security Scan for API Gateway image
id: scan-api-gateway
uses: anchore/scan-action@v3
with:
image: "localbuild/api-gateway:latest-scan"
severity-cutoff: critical
- name: Security Scan for Search Service image
id: scan-search-service
uses: anchore/scan-action@v3
with:
image: "localbuild/search-service:latest-scan"
severity-cutoff: critical
- name: Security Scan for Subscription Service image
id: scan-subscription-service
uses: anchore/scan-action@v3
with:
image: "localbuild/subscription-service:latest-scan"
severity-cutoff: critical
- name: Upload Anchore scan SARIF report for API Gateway
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: ${{ steps.scan-api-gateway.outputs.sarif }}
category: anchore-api-gateway
- name: Upload Anchore scan SARIF report for Search Service
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: ${{ steps.scan-search-service.outputs.sarif }}
category: anchore-search-service
- name: Upload Anchore scan SARIF report for Subscription Service
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: ${{ steps.scan-subscription-service.outputs.sarif }}
category: anchore-subscription-service