New code scan action
This commit is contained in:
Sahil Ahuja
parent
e76de4495e
commit
5225763586
39
.github/workflows/push-code-scan.yml
vendored
Normal file
39
.github/workflows/push-code-scan.yml
vendored
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
name: Image Vulnerability Scan
|
||||||
|
# Secrets can only viewed in "push" events. Not pull_request events.
|
||||||
|
# That's why this step needs to be called on push, and not on pull_request (to read docker login password).
|
||||||
|
|
||||||
|
on:
|
||||||
|
workflow_call:
|
||||||
|
|
||||||
|
env:
|
||||||
|
REPO: ${{ github.repository }}/temp #Add /temp for temporary images
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
|
||||||
|
push-container-scan:
|
||||||
|
runs-on: ubuntu-22.04
|
||||||
|
|
||||||
|
steps:
|
||||||
|
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- uses: actions/setup-node@v4
|
||||||
|
with:
|
||||||
|
node-version: 22
|
||||||
|
registry-url: ${{ vars.NPM_REGISTRY }}
|
||||||
|
token: ${{ secrets.NPM_TOKEN }}
|
||||||
|
|
||||||
|
- name: Install npm dependencies
|
||||||
|
run: |
|
||||||
|
npm install -g pnpm
|
||||||
|
pnpm install
|
||||||
|
|
||||||
|
- name: Scan container image for vulnerabilities with grype
|
||||||
|
uses: anchore/scan-action@v6
|
||||||
|
with:
|
||||||
|
path: "."
|
||||||
|
cache-db: true #Cache Grype DB in Github Actions
|
||||||
|
output-format: table
|
||||||
|
only-fixed: true
|
||||||
|
severity-cutoff: critical
|
||||||
|
fail-build: true
|
||||||
Loading…
x
Reference in New Issue
Block a user