Add Anchore image scan (#14)

* Add image scan to deb * Upload Anchore * Add image scan to build * Fix scan report uploading * Enable acs report * Increase severity cutoff to crtitical * Fix scan for build * Fix typo * Fix build local registry
2020-11-20 00:13:57 -08:00 · 2020-11-20 00:13:57 -08:00 · 36f0935346
commit 36f0935346
parent f0d653fb78
2 changed files with 50 additions and 2 deletions
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@ -20,6 +20,11 @@ env:
 jobs:
  build:
    runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
    steps:
      - name: Checkout
        uses: actions/checkout@master
@ -38,13 +43,36 @@ jobs:
        uses: docker/setup-qemu-action@v1
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
+        with:
+          driver-opts: network=host
+      - name: Build image without push to DockerHub
+        uses: docker/build-push-action@v2
+        with:
+          context: ./build
+          file: ./build/Dockerfile
+          platforms: linux/amd64,linux/arm64/v8,linux/arm/v7
+          push: true
+          tags: localhost:5000/protonmail-bridge:latest
+      - name: Scan image
+        id: scan
+        uses: anchore/scan-action@v2
+        with:
+          image: localhost:5000/protonmail-bridge:latest
+          fail-build: true
+          severity-cutoff: critical
+          acs-report-enable: true
+      - name: Upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
      - name: Login to DockerHub
        uses: docker/login-action@v1
        if: ${{ github.event_name != 'pull_request' }}
        with:
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}
-      - uses: docker/build-push-action@v2
+      - name: Push image
+        uses: docker/build-push-action@v2
        with:
          context: ./build
          file: ./build/Dockerfile
--- a/.github/workflows/deb.yaml
+++ b/.github/workflows/deb.yaml
@ -36,13 +36,33 @@ jobs:
          images: ${{ steps.repo.outputs.repo }}
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
+      - name: Build image without push
+        uses: docker/build-push-action@v2
+        with:
+          context: ./deb
+          file: ./deb/Dockerfile
+          load: true
+          tags: protonmail-bridge:latest
+      - name: Scan image
+        id: scan
+        uses: anchore/scan-action@v2
+        with:
+          image: protonmail-bridge:latest
+          fail-build: true
+          severity-cutoff: critical
+          acs-report-enable: true
+      - name: Upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
      - name: Login to DockerHub
        uses: docker/login-action@v1
        if: ${{ github.event_name != 'pull_request' }}
        with:
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}
-      - uses: docker/build-push-action@v2
+      - name: Push image
+        uses: docker/build-push-action@v2
        with:
          context: ./deb
          file: ./deb/Dockerfile