From 36f0935346782888e151048dd6a442498498d8d0 Mon Sep 17 00:00:00 2001 From: Xiaonan Shen Date: Fri, 20 Nov 2020 00:13:57 -0800 Subject: [PATCH] Add Anchore image scan (#14) * Add image scan to deb * Upload Anchore * Add image scan to build * Fix scan report uploading * Enable acs report * Increase severity cutoff to crtitical * Fix scan for build * Fix typo * Fix build local registry --- .github/workflows/build.yaml | 30 +++++++++++++++++++++++++++++- .github/workflows/deb.yaml | 22 +++++++++++++++++++++- 2 files changed, 50 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 64590cf..d2db625 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -20,6 +20,11 @@ env: jobs: build: runs-on: ubuntu-latest + services: + registry: + image: registry:2 + ports: + - 5000:5000 steps: - name: Checkout uses: actions/checkout@master @@ -38,13 +43,36 @@ jobs: uses: docker/setup-qemu-action@v1 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 + with: + driver-opts: network=host + - name: Build image without push to DockerHub + uses: docker/build-push-action@v2 + with: + context: ./build + file: ./build/Dockerfile + platforms: linux/amd64,linux/arm64/v8,linux/arm/v7 + push: true + tags: localhost:5000/protonmail-bridge:latest + - name: Scan image + id: scan + uses: anchore/scan-action@v2 + with: + image: localhost:5000/protonmail-bridge:latest + fail-build: true + severity-cutoff: critical + acs-report-enable: true + - name: Upload Anchore scan SARIF report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{ steps.scan.outputs.sarif }} - name: Login to DockerHub uses: docker/login-action@v1 if: ${{ github.event_name != 'pull_request' }} with: username: ${{ secrets.REGISTRY_USERNAME }} password: ${{ secrets.REGISTRY_PASSWORD }} - - uses: docker/build-push-action@v2 + - name: Push image + uses: docker/build-push-action@v2 with: context: ./build file: ./build/Dockerfile diff --git a/.github/workflows/deb.yaml b/.github/workflows/deb.yaml index 7a3607f..639129d 100644 --- a/.github/workflows/deb.yaml +++ b/.github/workflows/deb.yaml @@ -36,13 +36,33 @@ jobs: images: ${{ steps.repo.outputs.repo }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 + - name: Build image without push + uses: docker/build-push-action@v2 + with: + context: ./deb + file: ./deb/Dockerfile + load: true + tags: protonmail-bridge:latest + - name: Scan image + id: scan + uses: anchore/scan-action@v2 + with: + image: protonmail-bridge:latest + fail-build: true + severity-cutoff: critical + acs-report-enable: true + - name: Upload Anchore scan SARIF report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{ steps.scan.outputs.sarif }} - name: Login to DockerHub uses: docker/login-action@v1 if: ${{ github.event_name != 'pull_request' }} with: username: ${{ secrets.REGISTRY_USERNAME }} password: ${{ secrets.REGISTRY_PASSWORD }} - - uses: docker/build-push-action@v2 + - name: Push image + uses: docker/build-push-action@v2 with: context: ./deb file: ./deb/Dockerfile