Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: adjust scan configuration #2140

Merged
merged 4 commits into from
Jan 18, 2022
Merged
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 18 additions & 4 deletions .github/workflows/cve-scan.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,25 +15,39 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Setup Env
id: vars
shell: bash
run: |
echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
- name: Build images
shell: bash
run: |
make docker
image_tag=${{ steps.vars.outputs.sha_short }} make docker
- name: Anchore Scanner
uses: anchore/scan-action@v3
id: grype-scan
with:
image: oryd/kratos:latest
image: oryd/kratos:${{ steps.vars.outputs.sha_short }}
fail-build: true
severity-cutoff: high
debug: false
acs-report-enable: true
- name: Anchore upload scan SARIF report
if: always()
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{ steps.grype-scan.outputs.sarif }}
- name: Trivy Scanner
uses: aquasecurity/trivy-action@master
if: ${{ always() }}
with:
image-ref: oryd/kratos:latest
image-ref: oryd/kratos:${{ steps.vars.outputs.sha_short }}
format: 'table'
exit-code: '42'
ignore-unfixed: true
Expand All @@ -43,6 +57,6 @@ jobs:
uses: erzz/[email protected]
if: ${{ always() }}
with:
image: oryd/kratos:latest
image: oryd/kratos:${{ steps.vars.outputs.sha_short }}
exit-code: 42
failure-threshold: fatal
2 changes: 2 additions & 0 deletions .grype.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
ignore:
- vulnerability: CVE-2015-5237
9 changes: 8 additions & 1 deletion Makefile
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
SHELL=/bin/bash -o pipefail

ifdef image_tag
IMAGE_TAG := $(image_tag)
else
IMAGE_TAG := latest
endif

# EXECUTABLES = docker-compose docker node npm go
# K := $(foreach exec,$(EXECUTABLES),\
# $(if $(shell which $(exec)),some string,$(error "No $(exec) in PATH")))
Expand Down Expand Up @@ -135,7 +141,8 @@ format: .bin/goimports docs/node_modules node_modules
# Build local docker image
.PHONY: docker
docker:
DOCKER_BUILDKIT=1 docker build -f .docker/Dockerfile-build --build-arg=COMMIT=$(VCS_REF) --build-arg=BUILD_DATE=$(BUILD_DATE) -t oryd/kratos:latest .
@echo "Building Image 'oryd/kratos:$(IMAGE_TAG)'"
DOCKER_BUILDKIT=1 docker build -f .docker/Dockerfile-build --build-arg=COMMIT=$(VCS_REF) --build-arg=BUILD_DATE=$(BUILD_DATE) -t oryd/kratos:$(IMAGE_TAG) .
tricky42 marked this conversation as resolved.
Show resolved Hide resolved

# Runs the documentation tests
.PHONY: test-docs
Expand Down