Grype WAR security scan #1728
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
############################################################################# | |
# Workflow for using Grype to scan for security issues in IRIDA dependencies | |
############################################################################# | |
name: Grype WAR security scan | |
on: | |
pull_request: # Run on all pull requests | |
push: | |
branches: # Run on any push to development or main | |
- development | |
- main | |
schedule: # Run daily on development and weekly on main | |
- cron: 0 1 * * * | |
branches: development | |
- cron: 0 2 * * 0 | |
branches: main | |
jobs: | |
war-build: # Gradle integration tests | |
runs-on: ubuntu-20.04 #See pre-installed software at https://github.com/actions/virtual-environments/blob/main/images/linux/Ubuntu2004-Readme.md | |
steps: | |
- uses: actions/checkout@v3 #Checkout the project from git | |
- name: Get pnpm store directory | |
id: pnpm-cache | |
run: | | |
echo "::set-output name=pnpm_cache_dir::$(./gradlew pnpmCacheDir -q)" | |
- name: Setup pnpm cache | |
uses: actions/cache@v3 | |
with: | |
path: ${{ steps.pnpm-cache.outputs.pnpm_cache_dir }} | |
key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }} | |
restore-keys: | | |
${{ runner.os }}-pnpm-store- | |
- name: Set up JDK 17 # Installs java 17 | |
uses: actions/setup-java@v1 | |
with: | |
java-version: 17 | |
- name: Validate Gradle wrapper | |
uses: gradle/wrapper-validation-action@v1 | |
- name: Setup Gradle | |
uses: gradle/gradle-build-action@v2 | |
- name: Build WAR file # Build the WAR file | |
id: package | |
run: | | |
./gradlew clean build -xtest | |
- name: Link WAR file | |
run: | | |
ln -s build/dist/irida-*.war irida.war | |
ls -l irida.war | |
- name: Scan image | |
id: scan | |
uses: anchore/scan-action@v3 | |
with: | |
image: irida.war | |
fail-build: false | |
acs-report-enable: true | |
- name: Inspect action SARIF report | |
run: cat ${{ steps.scan.outputs.sarif }} | |
- name: upload Anchore scan SARIF report | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: ${{ steps.scan.outputs.sarif }} | |