save grype db cache on updates to avoid using stale cache db (#147) #422
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: SCA Docker Test | |
on: | |
pull_request: | |
branches: | |
- main | |
push: | |
branches: | |
- main | |
tags: | |
- '*' | |
workflow_dispatch: {} | |
jobs: | |
test-scan-docker-image: | |
permissions: | |
contents: write # publish sbom to GH releases/tag assets | |
issues: read | |
checks: write | |
pull-requests: write | |
if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }} | |
name: Test Scan Docker Image | |
runs-on: ubuntu-22.04 | |
env: | |
IMAGE: kong/kong-gateway-dev:latest #particular reason for the choice of image: test multi arch image sbom | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install regctl | |
uses: regclient/actions/regctl-installer@main | |
- name: Login to DockerHub | |
if: success() | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.GHA_DOCKERHUB_PULL_USER }} | |
password: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUBLIC_TOKEN }} | |
- name: Parse Architecture Specific Image Manifest Digests | |
id: image_manifest_metadata | |
run: | | |
manifest_list_exists="$( | |
if regctl manifest get "${IMAGE}" --format raw-body --require-list -v panic &> /dev/null; then | |
echo true | |
else | |
echo false | |
fi | |
)" | |
echo "manifest_list_exists=$manifest_list_exists" | |
echo "manifest_list_exists=$manifest_list_exists" >> $GITHUB_OUTPUT | |
amd64_sha="$(regctl image digest "${IMAGE}" --platform linux/amd64 || echo '')" | |
arm64_sha="$(regctl image digest "${IMAGE}" --platform linux/arm64 || echo '')" | |
echo "amd64_sha=$amd64_sha" | |
echo "amd64_sha=$amd64_sha" >> $GITHUB_OUTPUT | |
echo "arm64_sha=$arm64_sha" | |
echo "arm64_sha=$arm64_sha" >> $GITHUB_OUTPUT | |
- name: Scan AMD64 Image digest | |
id: sbom_action_amd64 | |
if: steps.image_manifest_metadata.outputs.amd64_sha != '' | |
uses: ./security-actions/scan-docker-image | |
with: | |
asset_prefix: kong-gateway-dev-linux-amd64 | |
image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.amd64_sha }} | |
- name: Scan ARM64 Image digest | |
if: steps.image_manifest_metadata.outputs.manifest_list_exists == 'true' && steps.image_manifest_metadata.outputs.arm64_sha != '' | |
id: sbom_action_arm64 | |
uses: ./security-actions/scan-docker-image | |
with: | |
asset_prefix: test.kong-gateway-dev-linux-arm64 | |
image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.arm64_sha }} | |
upload-sbom-release-assets: true | |
force_grype_db_update: true ## Explicitly skip db cache when available | |
test-download-sbom: | |
if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }} | |
name: Download SBOM | |
runs-on: ubuntu-22.04 | |
needs: [test-scan-docker-image] | |
env: | |
SBOM_DOWNLOAD_PATH: ${{ github.workspace }}/security-assets/sboms | |
SPDX_SBOM_PATTERN: "*sbom.spdx.json" | |
CYCLONEDX_SBOM_PATTERN: "*sbom.cyclonedx.json" | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
steps: | |
- name: "Download all SBOM assets" | |
id: collect_sbom | |
if: ${{ needs.test-scan-docker-image.result == 'success' }} | |
run: |- | |
gh run download ${{ github.run_id }} -D ${{ env.SBOM_DOWNLOAD_PATH }} -p '${{ env.CYCLONEDX_SBOM_PATTERN }}' -p '${{ env.SPDX_SBOM_PATTERN }}' --repo ${{ github.repository }} | |
- name: Inspect download assets | |
run: | | |
ls -alR ${{ github.workspace }}/security-assets/sboms |