chore: use adfinis/container-scanning-action

adfinis · Apr 23, 2024 · e7ef447 · e7ef447
1 parent c294656
commit e7ef447
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 128 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -21,7 +21,7 @@ jobs:
       packages: write
       pull-requests: none
       repository-projects: none
-      security-events: none
+      security-events: write
       statuses: none
       id-token: write # needed for signing the images with GitHub OIDC using cosign
 
@@ -80,37 +80,23 @@ jobs:
             ghcr.io/${{ github.repository }}/ember:${{ steps.semrel.outputs.version }}
             ghcr.io/${{ github.repository }}/ember:latest
 
-      - name: Run Trivy vulnerability scanner on api
+      - name: Sign api image and attach SBOM attestation
         if: steps.semrel.outputs.version != ''
-        uses: aquasecurity/trivy-action@0.19.0
+        uses: adfinis/container-scanning-action@v0.2.2
         with:
           image-ref: ghcr.io/${{ github.repository }}/api
-          format: "cyclonedx"
-          output: "api.cdx"
+          token: ${{ secrets.GITHUB_TOKEN }}
+          digest: ${{ steps.docker-api.outputs.digest }}
+          attest: true
 
-      - name: Run Trivy vulnerability scanner on ember
+      - name: Sign ember image and attach SBOM attestation
         if: steps.semrel.outputs.version != ''
-        uses: aquasecurity/trivy-action@0.19.0
+        uses: adfinis/container-scanning-action@v0.2.2
         with:
           image-ref: ghcr.io/${{ github.repository }}/ember
-          format: "cyclonedx"
-          output: "ember.cdx"
-
-      - name: Install Cosign
-        if: steps.semrel.outputs.version != ''
-        uses: sigstore/[email protected]
-
-      - name: Sign the images with GitHub OIDC Token using cosign
-        if: steps.semrel.outputs.version != ''
-        run: |
-          cosign sign --yes ghcr.io/${{ github.repository }}/api@${{ steps.docker-api.outputs.digest }}
-          cosign sign --yes ghcr.io/${{ github.repository }}/ember@${{ steps.docker-ember.outputs.digest }}
-
-      - name: Attach an SBOM attestation to the signed images
-        if: steps.semrel.outputs.version != ''
-        run: |
-          cosign attest --yes --type cyclonedx --predicate api.cdx ghcr.io/${{ github.repository }}/api@${{ steps.docker-api.outputs.digest }}
-          cosign attest --yes --type cyclonedx --predicate ember.cdx ghcr.io/${{ github.repository }}/ember@${{ steps.docker-ember.outputs.digest }}
+          token: ${{ secrets.GITHUB_TOKEN }}
+          digest: ${{ steps.docker-ember.outputs.digest }}
+          attest: true
 
       - name: Set up Helm
         if: steps.semrel.outputs.version != ''
@@ -128,19 +114,3 @@ jobs:
       - name: Push Chart
         if: steps.semrel.outputs.version != ''
         run: helm push dist/*.tgz oci://ghcr.io/${{ github.repository }}/helm
-
-  trivy-scan-api:
-    if: always()
-    needs: semrel
-    uses: ./.github/workflows/trivy-scan.yaml
-    with:
-      image-ref: api
-      attest: ${{ needs.semrel.result == 'success' }}
-
-  trivy-scan-ember:
-    if: always()
-    needs: semrel
-    uses: ./.github/workflows/trivy-scan.yaml
-    with:
-      image-ref: ember
-      attest: ${{ needs.semrel.result == 'success' }}
diff --git a/.github/workflows/schedule.yaml b/.github/workflows/schedule.yaml
@@ -9,12 +9,46 @@ on:
 jobs:
   scan-api:
     name: Scan api image
-    uses: ./.github/workflows/trivy-scan.yaml
-    with:
-      image-ref: api
+    runs-on: ubuntu-latest
+    permissions:
+      actions: none
+      checks: none
+      contents: none
+      deployments: none
+      issues: none
+      packages: write
+      pull-requests: none
+      repository-projects: none
+      security-events: write
+      statuses: none
+      # needed for `cosign attest`
+      id-token: write
+    steps:
+      - uses: adfinis/[email protected]
+        with:
+          image-ref: ghcr.io/${{ github.repository }}/ember
+          token: ${{ secrets.GITHUB_TOKEN }}
+          attest: true
 
   scan-ember:
     name: Scan ember image
-    uses: ./.github/workflows/trivy-scan.yaml
-    with:
-      image-ref: ember
+    runs-on: ubuntu-latest
+    permissions:
+      actions: none
+      checks: none
+      contents: none
+      deployments: none
+      issues: none
+      packages: write
+      pull-requests: none
+      repository-projects: none
+      security-events: write
+      statuses: none
+      # needed for `cosign attest`
+      id-token: write
+    steps:
+      - uses: adfinis/[email protected]
+        with:
+          image-ref: ghcr.io/${{ github.repository }}/ember
+          token: ${{ secrets.GITHUB_TOKEN }}
+          attest: true
diff --git a/.github/workflows/trivy-scan.yaml b/.github/workflows/trivy-scan.yaml