proton_nextcloud_podman/protonmail-bridge-nextcoud-podman
1
0
Fork 0
forked from Mouws/protonmail-bridge-nextcoud-podman
Code Pull Requests Activity

Add Anchore image scan (#14)

Browse Source 
* Add image scan to deb

* Upload Anchore

* Add image scan to build

* Fix scan report uploading

* Enable acs report

* Increase severity cutoff to crtitical

* Fix scan for build

* Fix typo

* Fix build local registry
This commit is contained in:
Xiaonan Shen 2020-11-20 00:13:57 -08:00 committed by GitHub
parent f0d653fb78
commit 36f0935346
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 50 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
.github/workflows/build.yaml vendored
View File

@ -20,6 +20,11 @@ env:
jobs: jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
services:
registry:
image: registry:2
ports:
- 5000:5000
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@master uses: actions/checkout@master
@ -38,13 +43,36 @@ jobs:
uses: docker/setup-qemu-action@v1 uses: docker/setup-qemu-action@v1
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1 uses: docker/setup-buildx-action@v1
with:
driver-opts: network=host
- name: Build image without push to DockerHub
uses: docker/build-push-action@v2
with:
context: ./build
file: ./build/Dockerfile
platforms: linux/amd64,linux/arm64/v8,linux/arm/v7
push: true
tags: localhost:5000/protonmail-bridge:latest
- name: Scan image
id: scan
uses: anchore/scan-action@v2
with:
image: localhost:5000/protonmail-bridge:latest
fail-build: true
severity-cutoff: critical
acs-report-enable: true
- name: Upload Anchore scan SARIF report
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
- name: Login to DockerHub - name: Login to DockerHub
uses: docker/login-action@v1 uses: docker/login-action@v1
if: ${{ github.event_name != 'pull_request' }} if: ${{ github.event_name != 'pull_request' }}
with: with:
username: ${{ secrets.REGISTRY_USERNAME }} username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }} password: ${{ secrets.REGISTRY_PASSWORD }}
- uses: docker/build-push-action@v2 - name: Push image
uses: docker/build-push-action@v2
with: with:
context: ./build context: ./build
file: ./build/Dockerfile file: ./build/Dockerfile

22
.github/workflows/deb.yaml vendored
View File

@ -36,13 +36,33 @@ jobs:
images: ${{ steps.repo.outputs.repo }} images: ${{ steps.repo.outputs.repo }}
- name: Set up Docker Buildx - name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1 uses: docker/setup-buildx-action@v1
- name: Build image without push
uses: docker/build-push-action@v2
with:
context: ./deb
file: ./deb/Dockerfile
load: true
tags: protonmail-bridge:latest
- name: Scan image
id: scan
uses: anchore/scan-action@v2
with:
image: protonmail-bridge:latest
fail-build: true
severity-cutoff: critical
acs-report-enable: true
- name: Upload Anchore scan SARIF report
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
- name: Login to DockerHub - name: Login to DockerHub
uses: docker/login-action@v1 uses: docker/login-action@v1
if: ${{ github.event_name != 'pull_request' }} if: ${{ github.event_name != 'pull_request' }}
with: with:
username: ${{ secrets.REGISTRY_USERNAME }} username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }} password: ${{ secrets.REGISTRY_PASSWORD }}
- uses: docker/build-push-action@v2 - name: Push image
uses: docker/build-push-action@v2
with: with:
context: ./deb context: ./deb
file: ./deb/Dockerfile file: ./deb/Dockerfile