Skip to content

Commit

Permalink
feat: add GH action for Anchore vulnerability scan (#847)
Browse files Browse the repository at this point in the history
  • Loading branch information
@bobeal
bobeal authored Jul 3, 2023
1 parent bb9617b commit 3f70c91
Show file tree
Hide file tree
Showing 2 changed files with 119 additions and 0 deletions.
109 changes: 109 additions & 0 deletions .github/workflows/anchore.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,109 @@
name: Anchore security scan
on:
push:
branches:
- develop
pull_request:
types: [opened, synchronize, reopened]
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout project
uses: actions/checkout@v3
- name: Set up JDK 17
uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: '17'
- name: Assemble project
uses: gradle/gradle-build-action@v2
with:
arguments: assemble
- name: Upload jars artifacts
uses: actions/upload-artifact@v3
with:
name: jars
path: |
api-gateway/build/libs
search-service/build/libs
subscription-service/build/libs
anchore:
runs-on: ubuntu-latest
needs: build
steps:
- name: Checkout project
uses: actions/checkout@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Download jars artifacts
uses: actions/download-artifact@v3
with:
name: jars
path: build
- name: Build API Gateway local container
uses: docker/build-push-action@v4
with:
context: .
file: ./api-gateway/Dockerfile
tags: localbuild/api-gateway:latest-scan
push: false
load: true
build-args: |
JAR_FILE=./build/api-gateway/build/libs/api-gateway-latest-dev.jar
- name: Build Search Service local container
uses: docker/build-push-action@v4
with:
context: .
file: ./search-service/Dockerfile
tags: localbuild/search-service:latest-scan
push: false
load: true
build-args: |
JAR_FILE=./build/search-service/build/libs/search-service-latest-dev.jar
- name: Build Subscription Service local container
uses: docker/build-push-action@v4
with:
context: .
file: ./subscription-service/Dockerfile
tags: localbuild/subscription-service:latest-scan
push: false
load: true
build-args: |
JAR_FILE=./build/subscription-service/build/libs/subscription-service-latest-dev.jar
- name: Security Scan for API Gateway image
id: scan-api-gateway
uses: anchore/scan-action@v3
with:
image: "localbuild/api-gateway:latest-scan"
severity-cutoff: critical
- name: Security Scan for Search Service image
id: scan-search-service
uses: anchore/scan-action@v3
with:
image: "localbuild/search-service:latest-scan"
severity-cutoff: critical
- name: Security Scan for Subscription Service image
id: scan-subscription-service
uses: anchore/scan-action@v3
with:
image: "localbuild/subscription-service:latest-scan"
severity-cutoff: critical
- name: Upload Anchore scan SARIF report for API Gateway
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: ${{ steps.scan-api-gateway.outputs.sarif }}
category: anchore-api-gateway
- name: Upload Anchore scan SARIF report for Search Service
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: ${{ steps.scan-search-service.outputs.sarif }}
category: anchore-search-service
- name: Upload Anchore scan SARIF report for Subscription Service
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: ${{ steps.scan-subscription-service.outputs.sarif }}
category: anchore-subscription-service
10 changes: 10 additions & 0 deletions .grype.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
ignore:
# see https://github.com/anchore/grype/issues/431
# see https://github.com/anchore/grype/issues/1009
- vulnerability: CVE-2015-2156
- vulnerability: CVE-2019-16869
- vulnerability: CVE-2019-20444
- vulnerability: CVE-2019-20445
- vulnerability: CVE-2021-37136
- vulnerability: CVE-2021-37137
- vulnerability: CVE-2022-41881

0 comments on commit 3f70c91

Please sign in to comment.