scans

ci(grype): fail-build-pr-only (#505) #894

Workflow file for this run

	name: scans
	on:
	push:
	branches: [main]
	pull_request:
	branches: [main]
	merge_group:
	branches: [main]
	workflow_call:
	workflow_dispatch:

	permissions: {}

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: ${{ github.ref_name != github.event.repository.default_branch }}

	jobs:
	checkov:
	permissions:
	contents: read
	security-events: write

	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5

	- uses: bridgecrewio/checkov-action@562029b35f14a3859b4cc88d4e5308c440867d5f # master
	with:
	soft_fail: ${{ github.event_name != 'pull_request' }}

	- if: ${{ success() \|\| failure() }}
	uses: github/codeql-action/upload-sarif@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3
	with:
	sarif_file: results.sarif

	clair:
	permissions:
	contents: read
	security-events: write

	runs-on: ubuntu-latest
	env:
	GHCR_IMAGE_NAME: ghcr.io/${{ github.repository }}
	steps:
	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5

	- id: build
	uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
	with:
	cache-from: ${{ env.GHCR_IMAGE_NAME }}:cache
	load: true

	- run: \|
	docker save "${IMAGE_ID}" \| podman load
	podman save -o "${GITHUB_SHA}" "${IMAGE_ID}"
	env:
	IMAGE_ID: ${{ steps.build.outputs.imageid }}

	- uses: quay/clair-action@4c60dd9b6a58f54a9418b0c9dcd0d6b412223a9f # V0
	with:
	image-path: ${{ github.sha }}
	output: clair_results.sarif
	return-code: ${{ github.event_name == 'pull_request' && 1 \|\| 0 }}
	db-file: matcher.db

	- if: ${{ success() \|\| failure() }}
	uses: github/codeql-action/upload-sarif@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3
	with:
	sarif_file: clair_results.sarif

	devskim:
	permissions:
	contents: read
	security-events: write

	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5

	- uses: microsoft/DevSkim-Action@4b5047945a44163b94642a1cecc0d93a3f428cc6 # v1

	- uses: github/codeql-action/upload-sarif@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3
	with:
	sarif_file: devskim-results.sarif

	dustilock:
	permissions:
	contents: read

	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5

	- uses: checkmarx/dustilock@9a0cc4fe3da93f7efb38679896c074dc94d60ac6 # v1

	gitleaks:
	permissions:
	contents: write
	pull-requests: write
	security-events: write

	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
	with:
	fetch-depth: (${{ github.event.pull_request.commits \|\| 2 }} + 1)

	- uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2
	env:
	GITHUB_TOKEN: ${{ github.token }}

	- if: ${{ success() \|\| failure() }}
	uses: github/codeql-action/upload-sarif@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3
	with:
	sarif_file: results.sarif

	grype:
	permissions:
	contents: read
	security-events: write

	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5

	- id: grype
	uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6
	with:
	path: .
	fail-build: ${{ github.event_name == 'pull_request' }}
	severity-cutoff: high
	only-fixed: true

	- if: ${{ success() \|\| failure() }}
	uses: github/codeql-action/upload-sarif@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3
	with:
	sarif_file: ${{ steps.grype.outputs.sarif }}

	grype-container:
	permissions:
	contents: read
	security-events: write

	runs-on: ubuntu-latest
	env:
	GHCR_IMAGE_NAME: ghcr.io/${{ github.repository }}
	steps:
	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5

	- id: build
	uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
	with:
	cache-from: ${{ env.GHCR_IMAGE_NAME }}:cache
	load: true

	- id: grype
	uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6
	with:
	image: ${{ env.IMAGE_ID }}
	fail-build: ${{ github.event_name == 'pull_request' }}
	severity-cutoff: high
	only-fixed: true
	env:
	IMAGE_ID: ${{ steps.build.outputs.imageid }}

	- if: ${{ success() \|\| failure() }}
	uses: github/codeql-action/upload-sarif@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3
	with:
	sarif_file: ${{ steps.grype.outputs.sarif }}

	kics:
	permissions:
	checks: write
	contents: read
	pull-requests: write
	security-events: write

	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5

	- uses: checkmarx/kics-github-action@cd1f3774406f7818e3f79b77b093fe2ebaaf5c1d # v2
	with:
	enable_annotations: true
	enable_comments: true
	enable_jobs_summary: true
	comments_with_queries: true
	path: .
	fail_on: high
	output_formats: sarif
	bom: true

	- if: ${{ success() \|\| failure() }}
	uses: github/codeql-action/upload-sarif@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3
	with:
	sarif_file: results.sarif

	megalinter:
	permissions:
	contents: write
	pull-requests: write
	security-events: write
	statuses: write

	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
	with:
	repository: ${{ github.event.pull_request.head.repo.full_name \|\| github.repository }}
	ref: ${{ github.event.pull_request.head.sha \|\| github.sha }}

	- id: megalinter
	# You can override MegaLinter flavor used to have faster performances
	# More info at https://megalinter.io/latest/flavors/
	uses: oxsecurity/megalinter/flavors/python@e08c2b05e3dbc40af4c23f41172ef1e068a7d651 # v8
	env:
	GITHUB_TOKEN: ${{ github.token }}

	- if: ${{ success() \|\| failure() }}
	uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
	with:
	name: megalinter-reports
	path: megalinter-reports

	- if: ${{ success() \|\| failure() }}
	uses: github/codeql-action/upload-sarif@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3
	with:
	sarif_file: megalinter-reports/megalinter-report.sarif
	ref: ${{ github.head_ref && format('refs/heads/{0}', github.head_ref) \|\| github.ref }}
	sha: ${{ github.event.pull_request.head.sha \|\| github.sha }}

	- if: ${{ failure() && steps.megalinter.outputs.has_updated_sources == 1 && github.event_name == 'pull_request' }}
	name: commit changes
	run: \|
	git config user.email "${GITHUB_ACTOR_ID}+${GITHUB_ACTOR}@users.noreply.github.com"
	git config user.name "${GITHUB_ACTOR}"
	git commit --all --message "${COMMIT_MESSAGE}"
	git push origin "HEAD:refs/heads/${GITHUB_HEAD_REF}"
	env:
	COMMIT_MESSAGE: "fix: apply megalinter fixes"
	# https://api.github.com/users/megalinter-bot
	GITHUB_ACTOR: megalinter-bot
	GITHUB_ACTOR_ID: 129584137

	msdo:
	permissions:
	contents: read
	id-token: write
	security-events: write

	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5

	- uses: microsoft/security-devops-action@08976cb623803b1b36d7112d4ff9f59eae704de0 # v1
	id: msdo

	- uses: github/codeql-action/upload-sarif@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3
	with:
	sarif_file: ${{ steps.msdo.outputs.sarifFile }}

	osv-scan-pr:
	permissions:
	actions: read
	contents: read
	security-events: write

	if: ${{ github.event_name == 'pull_request' \|\| github.event_name == 'merge_group' }}
	uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@6c57776178c26313323dcdf6c082ed195314fd17 # v2

	osv-scan-push:
	permissions:
	actions: read
	contents: read
	security-events: write

	if: ${{ github.event_name == 'push' \|\| github.event_name == 'schedule' }}
	uses: google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@6c57776178c26313323dcdf6c082ed195314fd17 # v2
	with:
	fail-on-vuln: false

	syft:
	permissions:
	actions: read
	contents: write
	security-events: write

	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5

	- uses: anchore/sbom-action@7b36ad622f042cab6f59a75c2ac24ccb256e9b45 # v0
	with:
	output-file: "${{ github.event.repository.name }}-sbom.spdx.json"
	dependency-snapshot: true

	- id: grype
	uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6
	with:
	sbom: "${{ github.event.repository.name }}-sbom.spdx.json"
	fail-build: ${{ github.event_name == 'pull_request' }}
	severity-cutoff: high
	only-fixed: true

	- if: ${{ success() \|\| failure() }}
	uses: github/codeql-action/upload-sarif@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3
	with:
	sarif_file: ${{ steps.grype.outputs.sarif }}

	trivy-fs:
	permissions:
	contents: write
	security-events: write

	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5

	- uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.30
	with:
	scan-type: fs
	format: github
	output: dependency-results.sbom.json
	github-pat: ${{ github.token }}

	- uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.30
	with:
	scan-type: fs
	format: sarif
	output: trivy-results.sarif
	exit-code: ${{ github.event_name == 'pull_request' && 1 \|\| 0}}
	ignore-unfixed: true
	severity: HIGH,CRITICAL
	scanners: vuln,secret,misconfig
	skip-setup-trivy: true

	- uses: github/codeql-action/upload-sarif@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3
	with:
	sarif_file: trivy-results.sarif

	trivy-image:
	permissions:
	contents: write
	security-events: write

	runs-on: ubuntu-latest
	env:
	GHCR_IMAGE_NAME: ghcr.io/${{ github.repository }}
	steps:
	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
	# required for sarif upload

	- id: build
	uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
	with:
	cache-from: ${{ env.GHCR_IMAGE_NAME }}:cache
	load: true

	- uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.30
	with:
	image-ref: ${{ steps.build.outputs.imageid }}
	format: github
	output: dependency-results.sbom.json
	github-pat: ${{ github.token }}

	- uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # 0.30
	with:
	image-ref: ${{ steps.build.outputs.imageid }}
	format: sarif
	output: trivy-results.sarif
	exit-code: ${{ github.event_name == 'pull_request' && 1 \|\| 0}}
	ignore-unfixed: true
	severity: HIGH,CRITICAL
	skip-setup-trivy: true

	- uses: github/codeql-action/upload-sarif@76621b61decf072c1cee8dd1ce2d2a82d33c17ed # v3
	with:
	sarif_file: trivy-results.sarif

	trufflehog:
	permissions:
	contents: read

	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
	with:
	fetch-depth: (${{ github.event.pull_request.commits \|\| 2 }} + 1)

	- uses: trufflesecurity/trufflehog@ed6d045b46642d0d94a60bdf9b1246aefbcf3d35 # v3
	with:
	extra_args: --results=verified,unknown

	trunk:
	permissions:
	checks: write
	contents: write
	issues: write # create labels
	pull-requests: write

	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
	with:
	ref: ${{ github.event.pull_request.head.sha \|\| github.sha }}

	- if: ${{ github.event_name == 'pull_request' && !contains(github.event.pull_request.title, 'upgrade trunk') }}
	uses: trunk-io/trunk-action/upgrade@75699af9e26881e564e9d832ef7dc3af25ec031b # v1
	with:
	prefix: "ci: "

	- uses: trunk-io/trunk-action@75699af9e26881e564e9d832ef7dc3af25ec031b # v1
	env:
	INPUT_GITHUB_REF_NAME: ${{ github.event.pull_request.head.ref \|\| github.ref_name }}

	- if: ${{ failure() && github.event_name == 'pull_request' }}
	uses: trunk-io/trunk-action@75699af9e26881e564e9d832ef7dc3af25ec031b # v1
	env:
	INPUT_AUTOFIX_AND_PUSH: true
	INPUT_GITHUB_REF_NAME: ${{ format('HEAD:refs/heads/{0}', github.event.pull_request.head.ref) }}

	vorpal:
	permissions:
	checks: write
	contents: read

	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5

	- id: changed-files
	uses: step-security/changed-files@95b56dadb92a30ca9036f16423fd3c088a71ee94 # v46
	with:
	files: "*/.{cs,java,js,py}"
	separator: ","

	- if: ${{ steps.changed-files.outputs.all_changed_files != '' }}
	uses: checkmarx/vorpal-reviewdog-github-action@8cc292f337a2f1dea581b4f4bd73852e7becb50d # v1
	with:
	source_path: ${{ steps.changed-files.outputs.all_changed_files }}
	reporter: github-pr-check
	filter_mode: file
	fail_on_error: ${{ github.event_name == 'pull_request' }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci(grype): fail-build-pr-only (#505) #894

Workflow file

ci(grype): fail-build-pr-only (#505) #894

Uh oh!

Workflow file for this run