Skip to content

Commit

Permalink
Change: Switch to harbor, use image built by push.yml and use self ho…
Browse files Browse the repository at this point in the history 
…sted runners
  • Loading branch information
@robert-schardt
robert-schardt committed Nov 25, 2024
1 parent 44c071b commit dfb66ea
Showing 1 changed file with 24 additions and 15 deletions.
39 changes: 24 additions & 15 deletions .github/workflows/research-vuln-scan.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,19 +17,22 @@ jobs:
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Trivy
runs-on: "ubuntu-20.04"
runs-on: self-hosted-generic
steps:
- name: Checkout code
uses: actions/11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Build an image from Dockerfile
run: |
docker build -t greenbone/opensight-postgres:${{ github.sha }} .
- name: Login to Greenbone Product container registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0
with:
registry: ${{ vars.GREENBONE_REGISTRY }}
username: ${{ secrets.GREENBONE_REGISTRY_READ_USER }}
password: ${{ secrets.GREENBONE_REGISTRY_READ_TOKEN }}

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
with:
image-ref: 'greenbone/opensight-postgres:${{ github.sha }}'
image-ref: '${{ vars.GREENBONE_REGISTRY }}opensight/opensight-postgres:16'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
Expand All @@ -48,20 +51,23 @@ jobs:
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Grype
runs-on: "ubuntu-20.04"
runs-on: self-hosted-generic
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Build an image from Dockerfile
run: |
docker build -t greenbone/opensight-postgres:${{ github.sha }} .
- name: Login to Greenbone Product container registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0
with:
registry: ${{ vars.GREENBONE_REGISTRY }}
username: ${{ secrets.GREENBONE_REGISTRY_READ_USER }}
password: ${{ secrets.GREENBONE_REGISTRY_READ_TOKEN }}

- name: Run the Anchore Grype scan action
uses: anchore/scan-action@d5aa5b6cb9414b0c7771438046ff5bcfa2854ed7
id: grype
with:
image: "greenbone/opensight-postgres:${{ github.sha }}"
image: '${{ vars.GREENBONE_REGISTRY }}opensight/opensight-postgres:16'
fail-build: false
severity-cutoff: medium

Expand All @@ -78,22 +84,25 @@ jobs:
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
pull-requests: write
name: "Docker Scout"
runs-on: "ubuntu-20.04"
runs-on: self-hosted-generic
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Build an image from Dockerfile
run: |
docker build -t greenbone/opensight-postgres:${{ github.sha }} .
- name: Login to Greenbone Product container registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0
with:
registry: ${{ vars.GREENBONE_REGISTRY }}
username: ${{ secrets.GREENBONE_REGISTRY_READ_USER }}
password: ${{ secrets.GREENBONE_REGISTRY_READ_TOKEN }}

- name: Analyze for critical and high CVEs
id: docker-scout-cves
if: ${{ github.event_name != 'pull_request_target' }}
uses: docker/scout-action@v1
with:
command: cves, recommendations, compare
image: "greenbone/opensight-postgres:${{ github.sha }}"
image: '${{ vars.GREENBONE_REGISTRY }}opensight/opensight-postgres:16'
sarif-file: sarif.output.json
summary: true
dockerhub-user: ${{ secrets.DOCKERHUB_USERNAME }}
Expand Down

0 comments on commit dfb66ea

Please sign in to comment.