[vio-3010] Enable image scan

vapor-ware · Jul 13, 2023 · d046ecd · d046ecd
1 parent dcfb99f
commit d046ecd
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 15 deletions.
diff --git a/.github/actions/scan-image/README.md b/.github/actions/scan-image/README.md
diff --git a/.github/actions/scan-image/action.yml b/.github/actions/scan-image/action.yml
@@ -0,0 +1,37 @@
+name: scan image
+description: scan a container image for vulnerabilities
+inputs:
+  image:
+    required: true
+    description: container image to scan
+
+outputs:
+  sarif:
+    value: ${{ steps.output-sarif.outputs.sarif }}
+    description: results of the container scan in SARIF format
+
+runs:
+  using: composite
+  steps:
+    - name: scan container image
+      uses: anchore/scan-action@v3
+      id: scan
+      with:
+        image: ${{ inputs.image }}
+        acs-report-enable: true
+        fail-build: false
+        severity-cutoff: high
+
+    - id: output-sarif
+      run: echo "sarif=${{ steps.scan.outputs.sarif }}" >> $GITHUB_OUTPUT
+      shell: bash
+
+    - name: inspect action SARIF report
+      run: cat ${{ steps.scan.outputs.sarif }}
+      shell: bash
+
+    # TODO: submit sarif report to an API endpoint
+    # PAT auth to an API that stores sarif reports.
+    - name: submit SARIF report
+      run: echo "submitting SARIF report"
+      shell: bash
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -9,15 +9,15 @@ jobs:
   image_build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      # - uses: actions/checkout@v3
 
-    #   - name: Checkout vapor-ware workflows
-    #     uses: actions/checkout@v3
-    #     with:
-    #       repository: vapor-ware/workflows
-    #       token: ${{ secrets.GITHUB_TOKEN }}
-    #       ref: main
-    #       path: vapor-ware-workflows
+      # - name: Checkout vapor-ware workflows
+      #   uses: actions/checkout@v3
+      #   with:
+      #     repository: vapor-ware/workflows
+      #     token: ${{ secrets.GITHUB_TOKEN }}
+      #     ref: main
+      #     path: vapor-ware-workflows
 
       - uses: ./.github/actions/build-pr-image
         id: build-env
@@ -28,11 +28,11 @@ jobs:
           DOCKERFILE: Dockerfile
           USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
           PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }}
-          IMAGENAME: synse-server
+          IMAGENAME: edge-events
 
-    #   - uses: ./vapor-ware-workflows/.github/actions/scan-image
-    #     id: scan-image
-    #     with:
-    #       image: ${{ steps.build-env.outputs.image-archive }}
-    #       fail-build: false
-    #       severity-cutoff: high
+      - uses: ./.github/actions/scan-image
+        id: scan-image
+        with:
+          image: ${{ steps.build-env.outputs.image-archive }}
+          fail-build: false
+          severity-cutoff: high