From 8506fcf59d572851b24041b48af6a04b31520a32 Mon Sep 17 00:00:00 2001
From: Andreas Bucksteeg <tricky42@users.noreply.github.com>
Date: Tue, 18 Jan 2022 17:05:52 +0100
Subject: [PATCH] fix: adjust scan configuration (#2140)

Closes #2083
---
 .github/workflows/cve-scan.yaml | 24 ++++++++++++++++++++----
 .grype.yaml                     |  3 +++
 2 files changed, 23 insertions(+), 4 deletions(-)
 create mode 100644 .grype.yaml

diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml
index cdf7e5bd9200..22a168af946d 100644
--- a/.github/workflows/cve-scan.yaml
+++ b/.github/workflows/cve-scan.yaml
@@ -15,6 +15,12 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v2
+      - name: Setup Env
+        id: vars
+        shell: bash
+        run: |
+          echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
+          echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
       - name: Set up Docker Buildx
@@ -22,18 +28,28 @@ jobs:
       - name: Build images
         shell: bash
         run: |
-          make docker
+          touch kratos
+          DOCKER_BUILDKIT=1 docker build -f .docker/Dockerfile-alpine --build-arg=COMMIT=${{ steps.vars.outputs.sha_short }} -t oryd/kratos:${{ steps.vars.outputs.sha_short }} .
+          rm kratos
       - name: Anchore Scanner
         uses: anchore/scan-action@v3
+        id: grype-scan
         with:
-          image: oryd/kratos:latest
+          image: oryd/kratos:${{ steps.vars.outputs.sha_short }}
           fail-build: true
           severity-cutoff: high
+          debug: false
+          acs-report-enable: true
+      - name: Anchore upload scan SARIF report
+        if: always()
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: ${{ steps.grype-scan.outputs.sarif }}
       - name: Trivy Scanner
         uses: aquasecurity/trivy-action@master
         if: ${{ always() }}
         with:
-          image-ref: oryd/kratos:latest
+          image-ref: oryd/kratos:${{ steps.vars.outputs.sha_short }}
           format: 'table'
           exit-code: '42'
           ignore-unfixed: true
@@ -43,6 +59,6 @@ jobs:
         uses: erzz/dockle-action@v1.1.1
         if: ${{ always() }}
         with:
-          image: oryd/kratos:latest
+          image: oryd/kratos:${{ steps.vars.outputs.sha_short }}
           exit-code: 42
           failure-threshold: fatal
diff --git a/.grype.yaml b/.grype.yaml
new file mode 100644
index 000000000000..7e6d0a9bafa2
--- /dev/null
+++ b/.grype.yaml
@@ -0,0 +1,3 @@
+#only-fixed: true
+ignore:
+  - vulnerability: CVE-2015-5237
\ No newline at end of file