Merge pull request #120 from voxpupuli/switch_to_grype

feat: switch container scanning to grype
voxpupuli · Sep 6, 2024 · 1927491 · 1927491
2 parents 7a4fe7f + bb3f17e
commit 1927491
Show file tree

Hide file tree

Showing 2 changed files with 63 additions and 31 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -51,37 +51,6 @@ jobs:
             R10K_VERSION=${{ matrix.r10k_version }}
             RUGGED_VERSION=${{ matrix.rugged_version }}
 
-      # - name: Login to Docker Hub
-      #   uses: docker/login-action@v3
-      #   with:
-      #     username: voxpupulibot
-      #     password: ${{ secrets.DOCKERHUB_BOT_RO_PASSWORD }}
-
-      # - name: Analyze container image for CVEs
-      #   id: analyze-image-cves
-      #   uses: docker/scout-action@v1
-      #   with:
-      #     command: cves
-      #     image: 'local://ci/puppetserver:${{ matrix.version }}'
-      #     sarif-file: sarif.output.${{ matrix.version }}.${{ github.sha }}.json
-      #     write-comment: false
-
-      # - name: Compare container image to latest from Registry
-      #   id: compare-image
-      #   uses: docker/scout-action@v1
-      #   with:
-      #     command: compare
-      #     image: 'local://ci/puppetserver:${{ matrix.version }}'
-      #     to: 'ghcr.io/voxpupuli/puppetserver:${{ matrix.version }}-latest'
-      #     summary: true
-      #     keep-previous-comments: true
-
-      # - name: Upload SARIF result
-      #   id: upload-sarif
-      #   uses: github/codeql-action/upload-sarif@v3
-      #   with:
-      #     sarif_file: sarif.output.${{ matrix.version }}.${{ github.sha }}.json
-
   tests:
     needs:
       - general_ci

diff --git a/.github/workflows/security_scanning.yml b/.github/workflows/security_scanning.yml
@@ -0,0 +1,63 @@
+---
+name: Security Scanning 🕵️
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  setup-matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - name: Source checkout
+        uses: actions/checkout@v4
+
+      - id: set-matrix
+        run: echo "matrix=$(jq -c . build_versions.json)" >> $GITHUB_OUTPUT
+
+  scan_ci_container:
+    name: 'Scan CI container'
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    needs: setup-matrix
+    strategy:
+      matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Build CI container
+        uses: docker/build-push-action@v6
+        with:
+          tags: 'ci/puppetserver:${{ matrix.version }}'
+          context: puppetserver
+          push: false
+          build-args: |
+            PUPPET_RELEASE=${{ matrix.release }}
+            PUPPETSERVER_VERSION=${{ matrix.version }}
+            R10K_VERSION=${{ matrix.r10k_version }}
+            RUGGED_VERSION=${{ matrix.rugged_version }}
+
+      - name: Scan image with Anchore Grype
+        uses: anchore/scan-action@v4
+        id: scan
+        with:
+          image: 'ci/puppetserver:${{ matrix.version }}'
+          fail-build: false
+
+      - name: Inspect action SARIF report
+        run: jq . ${{ steps.scan.outputs.sarif }}
+
+      - name: Upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}