.github/workflows/cve-scan.yaml from ory-am/hydra

.github/workflows/cve-scan.yaml
Summary

Maintainability

Test Coverage

Issues
name: Docker Image Scanners
on:
  push:
    branches:
      - "master"
    tags:
      - "v*.*.*"
  pull_request:
    branches:
      - "master"

jobs:
  scanners:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Setup Env
        id: vars
        shell: bash
        run: |
          echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}"
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: Build images
        shell: bash
        run: |
          IMAGE_TAG="${{ env.SHA_SHORT }}" make docker
      - name: Anchore Scanner
        uses: anchore/scan-action@v3
        id: grype-scan
        with:
          image: oryd/hydra:${{ env.SHA_SHORT }}-sqlite
          fail-build: true
          severity-cutoff: high
          add-cpes-if-none: true
      - name: Inspect action SARIF report
        shell: bash
        if: ${{ always() }}
        run: |
          echo "::group::Anchore Scan Details"
          jq '.runs[0].results' ${{ steps.grype-scan.outputs.sarif }}
          echo "::endgroup::"
      - name: Anchore upload scan SARIF report
        if: always()
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: ${{ steps.grype-scan.outputs.sarif }}
      - name: Kubescape scanner
        uses: kubescape/github-action@main
        id: kubescape
        with:
          image: oryd/hydra:${{ env.SHA_SHORT }}-sqlite
          verbose: true
          format: pretty-printer
          # can't whitelist CVE yet: https://github.com/kubescape/kubescape/pull/1568
          severityThreshold: critical
      - name: Trivy Scanner
        uses: aquasecurity/trivy-action@master
        if: ${{ always() }}
        with:
          image-ref: oryd/hydra:${{ env.SHA_SHORT }}-sqlite
          format: "table"
          exit-code: "42"
          ignore-unfixed: true
          vuln-type: "os,library"
          severity: "CRITICAL,HIGH"
          scanners: "vuln,secret,config"
      - name: Dockle Linter
        uses: erzz/dockle-action@v1.3.2
        if: ${{ always() }}
        with:
          image: oryd/hydra:${{ env.SHA_SHORT }}-sqlite
          exit-code: 42
          failure-threshold: high
      - name: Hadolint
        uses: hadolint/hadolint-action@v3.1.0
        id: hadolint
        if: ${{ always() }}
        with:
          dockerfile: .docker/Dockerfile-build
          verbose: true
          format: "json"
          failure-threshold: "error"
      - name: View Hadolint results
        if: ${{ always() }}
        shell: bash
        run: |
          echo "::group::Hadolint Scan Details"
          echo "${HADOLINT_RESULTS}" | jq '.'
          echo "::endgroup::"