From cb0df814854072df332460b14cf2af598446e136 Mon Sep 17 00:00:00 2001 From: Martijn Kamphuis <mkamphuis@outlook.com> Date: Thu, 9 Jan 2025 10:56:10 +0100 Subject: [PATCH] Add container scanning --- .github/workflows/delivery.yml | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/.github/workflows/delivery.yml b/.github/workflows/delivery.yml index 1730a6b..1b75ed0 100644 --- a/.github/workflows/delivery.yml +++ b/.github/workflows/delivery.yml @@ -1,6 +1,8 @@ name: Delivery on: + pull_request: + types: [synchronize, opened, reopened] push: branches: [ master ] release: @@ -34,10 +36,29 @@ jobs: username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Build container and push to GitHub Container Registry + - name: Build container and export to local Docker uses: docker/build-push-action@v5 with: context: . - push: true + load: true + tags: local/yivitube:scan + + - name: Scan Image + uses: anchore/scan-action@v3 + id: scan + with: + image: local/yivitube:scan + fail-build: true + output-format: sarif + + - name: Upload Anchore Scan SARIF Report + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{ steps.scan.outputs.sarif }} + + - name: Push image to GitHub Container Registry + uses: docker/build-push-action@v5 + with: + push: github.event_name != 'pull_request' tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} \ No newline at end of file