Merge pull request #67 from betadots/grype

feat: switch container scanning to grype
betadots · Sep 20, 2024 · 337a29f · 337a29f
2 parents 47eff7e + abe0643
commit 337a29f
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 31 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -47,37 +47,6 @@ jobs:
             BOLT_VERSION=${{ matrix.bolt_version }}
             PUPPETDB_TERMINI_VERSION=${{ matrix.puppetdb_termini_version }}
 
-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
-        with:
-          username: ${{ vars.DOCKERHUB_USER }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Analyze container image for CVEs
-        id: analyze-image-cves
-        uses: docker/scout-action@v1
-        with:
-          command: cves
-          image: 'local://ci/pdc:${{ matrix.puppet_release }}'
-          sarif-file: sarif.output.${{ matrix.puppet_release }}.${{ github.sha }}.json
-          write-comment: false
-
-      - name: Compare container image to latest from Registry
-        id: compare-image
-        uses: docker/scout-action@v1
-        with:
-          command: compare
-          image: 'local://ci/pdc:${{ matrix.puppet_release }}'
-          to: 'ghcr.io/betadots/pdc:latest-${{ matrix.puppet_release }}'
-          summary: true
-          keep-previous-comments: true
-
-      - name: Upload SARIF result
-        id: upload-sarif
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: sarif.output.${{ matrix.puppet_release }}.${{ github.sha }}.json
-
   tests:
     needs:
       - build_test_container

diff --git a/.github/workflows/security_scanning.yml b/.github/workflows/security_scanning.yml
@@ -0,0 +1,64 @@
+---
+name: Security Scanning 🕵️
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  setup-matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - name: Source checkout
+        uses: actions/checkout@v4
+
+      - id: set-matrix
+        run: echo "matrix=$(jq -c . build_versions.json)" >> $GITHUB_OUTPUT
+
+  scan_ci_container:
+    name: 'Scan CI container'
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    needs: setup-matrix
+    strategy:
+      matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Build CI container
+        uses: docker/build-push-action@v6
+        with:
+          tags: 'ci/pdc:${{ matrix.puppet_version }}'
+          push: false
+          build-args: |
+            PUPPET_RELEASE=${{ matrix.puppet_release }}
+            PUPPET_VERSION=${{ matrix.puppet_version }}
+            TERRAFORM_VERSION=${{ matrix.terraform_version }}
+            PDK_VERSION=${{ matrix.pdk_version }}
+            BOLT_VERSION=${{ matrix.bolt_version }}
+            PUPPETDB_TERMINI_VERSION=${{ matrix.puppetdb_termini_version }}
+
+      - name: Scan image with Anchore Grype
+        uses: anchore/scan-action@v4
+        id: scan
+        with:
+          image: 'ci/pdc:${{ matrix.puppet_version }}'
+          fail-build: false
+
+      - name: Inspect action SARIF report
+        run: jq . ${{ steps.scan.outputs.sarif }}
+
+      - name: Upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}