ci: scan vulnerability #4
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Scan image vulnerability | |
| on: | |
| push: | |
| pull_request: | |
| workflow_dispatch: | |
| schedule: | |
| # Sunday, 18:00 JST | |
| - cron: '0 9 * * 0' | |
| concurrency: | |
| group: ${{ github.head_ref || github.sha }}-${{ github.workflow }} | |
| cancel-in-progress: true | |
| jobs: | |
| setup: | |
| name: Scan image with grype security vulnerability scanner | |
| strategy: | |
| fail-fast: false | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Pull latest grype container image | |
| run: | | |
| docker pull anchore/grype:latest | |
| debian: | |
| needs: setup | |
| name: Scan debian image with grype | |
| strategy: | |
| fail-fast: false | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Pull and scan upstream trixie image | |
| run: | | |
| docker pull debian:trixie | |
| docker run --rm anchore/grype:latest debian:trixie >> $GITHUB_STEP_SUMMARY | |
| ruby: | |
| needs: setup | |
| name: Scan image with grype | |
| strategy: | |
| fail-fast: false | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Pull and scan upstream Ruby image | |
| run: | | |
| docker pull ruby:3.4-slim | |
| docker run --rm anchore/grype:latest ruby:3.4-slim >> $GITHUB_STEP_SUMMARY | |
| fluentd: | |
| needs: setup | |
| name: Scan Fluentd image with grype | |
| strategy: | |
| fail-fast: false | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: Pull and scan Fluentd image | |
| run: | | |
| # v1.19.1-debian-amd64 | |
| IMAGE=$(make echo-all-images | cut -d' ' -f1|cut -d',' -f3) | |
| docker run --rm anchore/grype:latest fluent/fluentd:$IMAGE >> $GITHUB_STEP_SUMMARY |