diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml index cdf7e5bd9200..22a168af946d 100644 --- a/.github/workflows/cve-scan.yaml +++ b/.github/workflows/cve-scan.yaml @@ -15,6 +15,12 @@ jobs: steps: - name: Checkout uses: actions/checkout@v2 + - name: Setup Env + id: vars + shell: bash + run: | + echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})" + echo "::set-output name=sha_short::$(git rev-parse --short HEAD)" - name: Set up QEMU uses: docker/setup-qemu-action@v1 - name: Set up Docker Buildx @@ -22,18 +28,28 @@ jobs: - name: Build images shell: bash run: | - make docker + touch kratos + DOCKER_BUILDKIT=1 docker build -f .docker/Dockerfile-alpine --build-arg=COMMIT=${{ steps.vars.outputs.sha_short }} -t oryd/kratos:${{ steps.vars.outputs.sha_short }} . + rm kratos - name: Anchore Scanner uses: anchore/scan-action@v3 + id: grype-scan with: - image: oryd/kratos:latest + image: oryd/kratos:${{ steps.vars.outputs.sha_short }} fail-build: true severity-cutoff: high + debug: false + acs-report-enable: true + - name: Anchore upload scan SARIF report + if: always() + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{ steps.grype-scan.outputs.sarif }} - name: Trivy Scanner uses: aquasecurity/trivy-action@master if: ${{ always() }} with: - image-ref: oryd/kratos:latest + image-ref: oryd/kratos:${{ steps.vars.outputs.sha_short }} format: 'table' exit-code: '42' ignore-unfixed: true @@ -43,6 +59,6 @@ jobs: uses: erzz/dockle-action@v1.1.1 if: ${{ always() }} with: - image: oryd/kratos:latest + image: oryd/kratos:${{ steps.vars.outputs.sha_short }} exit-code: 42 failure-threshold: fatal diff --git a/.grype.yaml b/.grype.yaml new file mode 100644 index 000000000000..7e6d0a9bafa2 --- /dev/null +++ b/.grype.yaml @@ -0,0 +1,3 @@ +#only-fixed: true +ignore: + - vulnerability: CVE-2015-5237 \ No newline at end of file