-
Notifications
You must be signed in to change notification settings - Fork 15
130 lines (116 loc) · 3.3 KB
/
grype.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#
# Author: Hari Sekhon
# Date: 2022-01-31 16:49:05 +0000 (Mon, 31 Jan 2022)
#
# vim:ts=2:sts=2:sw=2:et
#
# https://github.com/HariSekhon/GitHub-Actions
#
# If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback
#
# https://www.linkedin.com/in/HariSekhon
#
# ============================================================================ #
# G r y p e
# ============================================================================ #
---
name: Grype
on:
push:
branches:
- master
- main
paths:
- .github/workflows/grype.yaml
#ignore-paths:
# - '**/README.md'
pull_request:
branches:
- master
- main
paths:
- .github/workflows/grype.yaml
#ignore-paths:
# - '**/README.md'
workflow_call:
inputs:
path:
description: The filesystem path for Grype to analyze
type: string
default: .
required: false
severity:
description: Set a severity to trigger CI workflow failure
type: string
default: high
required: false
debug:
type: string
required: false
default: false
workflow_dispatch:
inputs:
path:
description: The filesystem path for Grype to analyze
type: string
default: .
required: false
severity:
description: Set a severity to trigger CI workflow failure
type: string
default: high
required: false
debug:
type: boolean
required: false
default: false
permissions:
contents: read
security-events: write
defaults:
run:
shell: sh -eux {0}
env:
# ${{ inputs.* }} is set by workflow_call
# ${{ github.events.inputs.* }} is set by workflow_dispatch
SCAN_PATH: ${{ inputs.path || github.event.inputs.path || '.' }}
DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }}
jobs:
grype:
name: Filesystem Scan
runs-on: ubuntu-latest
steps:
- name: Environment
run: env | sort
- uses: actions/checkout@v3
- name: Grype Filsystem Scan
if: ${{ inputs.severity || github.event.inputs.severity }}
# https://github.com/anchore/scan-action
uses: anchore/scan-action@v3
with:
path: ${{ env.SCAN_PATH }}
fail-build: true
severity-cutoff: ${{ inputs.severity || github.event.inputs.severity }}
output-format: table
# ============================================================================ #
grype_github:
name: Filesystem Scan GitHub Security tab
runs-on: ubuntu-latest
steps:
- name: Environment
run: env | sort
- uses: actions/checkout@v3
- name: Grype Generate Sarif
#if: ${{ inputs.severity || github.event.inputs.severity }}
id: scan
# https://github.com/anchore/scan-action
uses: anchore/scan-action@v3
with:
path: ${{ env.SCAN_PATH }}
fail-build: false
output-format: sarif
- name: Upload Grype sarif to GitHub Security tab
#if: ${{ ! ( inputs.no_sarif || github.event.inputs.sarif ) }}
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.scan.outputs.sarif }}