container-openvoxserver/.github/workflows/security_scanning.yml at main · OpenVoxProject/container-openvoxserver · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
---
name: Security Scanning 🕵️

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

permissions:
  contents: read # minimal required permissions to clone repo

jobs:
  setup-matrix:
    runs-on: ubuntu-latest
    outputs:
      build_matrix: ${{ steps.set-build-matrix.outputs.build_matrix }}
    steps:
      - name: Source checkout
        uses: actions/checkout@v6

      - name: 'Setup yq'
        uses: dcarbone/install-yq-action@v1.3.1

      - id: set-build-matrix
        run: echo "build_matrix=$(bash matrix.sh build)" >> $GITHUB_OUTPUT

  scan_ci_container:
    name: 'Scan ${{ matrix.platform }} CI container'
    runs-on: ${{ matrix.runner }}
    permissions:
      actions: read
      contents: read
      security-events: write
    needs: setup-matrix
    strategy:
      matrix: ${{ fromJson(needs.setup-matrix.outputs.build_matrix) }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v6

      - name: Extract version number
        id: extract_version
        uses: actions/github-script@v9
        with:
          script: |
            const agentVersion = '${{ matrix.server_version }}';
            const version = agentVersion.split('-')[0];
            core.setOutput('version', version);

      - name: Build ${{ matrix.platform }} CI container
        uses: docker/build-push-action@v7
        with:
          tags: 'ci/openvoxserver:${{ steps.extract_version.outputs.version }}'
          context: openvoxserver
          file: openvoxserver/Containerfile
          platforms: linux/${{ matrix.platform }}
          push: false
          build-args: |
            OPENVOX_RELEASE=${{ matrix.release }}
            OPENVOXSERVER_VERSION=${{ matrix.server_version }}
            OPENVOXDB_VERSION=${{ matrix.db_version }}
            R10K_VERSION=${{ matrix.r10k_version }}
            RUGGED_VERSION=${{ matrix.rugged_version }}
            JDK_VERSION=${{ matrix.jdk_version }}

      - name: Scan image with Anchore Grype
        uses: anchore/scan-action@v7
        id: scan
        with:
          image: 'ci/openvoxserver:${{ steps.extract_version.outputs.version }}'
          fail-build: false

      - name: Inspect action SARIF report
        run: jq . ${{ steps.scan.outputs.sarif }}

      - name: Upload Anchore scan SARIF report
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}