Container Scan #2
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Container Scan | |
| permissions: | |
| contents: read | |
| on: | |
| schedule: | |
| - cron: '0 6 * * 1' # weekly Monday 06:00 UTC | |
| jobs: | |
| grype: | |
| name: Container Scan | |
| runs-on: ubuntu-latest | |
| env: | |
| GRYPE_VERSION: "0.111.0" | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6 | |
| - name: Scan image | |
| uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # ratchet:anchore/scan-action@v7 | |
| id: scan | |
| with: | |
| image: ghcr.io/coopernetes/git-proxy-java:latest | |
| grype-version: ${{ env.GRYPE_VERSION }} | |
| fail-build: true | |
| severity-cutoff: high | |
| only-fixed: true | |
| config: .grype.yaml | |
| # SARIF upload intentionally omitted — OS-layer CVEs from the base image are triaged | |
| # by internal scanning with application context. Uploading here creates misleading noise | |
| # in the GitHub Security tab (high CVSS score ≠ high actual risk for this workload). | |
| # The build still fails on high/critical with a fix available via fail-build: true above. | |
| - name: Install grype | |
| if: always() | |
| run: | | |
| curl -sSfL -o /tmp/grype.tar.gz \ | |
| https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz | |
| curl -sSfL -o /tmp/grype_checksums.txt \ | |
| https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_checksums.txt | |
| grep "grype_${GRYPE_VERSION}_linux_amd64.tar.gz" /tmp/grype_checksums.txt | sha256sum --check --ignore-missing | |
| tar -xzf /tmp/grype.tar.gz -C /usr/local/bin grype | |
| - name: Generate human-readable report | |
| if: always() | |
| run: | | |
| grype ghcr.io/coopernetes/git-proxy-java:latest \ | |
| --config .grype.yaml \ | |
| --output table > grype-report.txt || true | |
| grype ghcr.io/coopernetes/git-proxy-java:latest \ | |
| --config .grype.yaml \ | |
| --output json > grype-report.json || true | |
| - name: Upload scan reports | |
| if: always() | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # ratchet:actions/upload-artifact@v7 | |
| with: | |
| name: grype-container-scan | |
| path: | | |
| grype-report.txt | |
| grype-report.json | |
| retention-days: 30 |