Container Scan #6
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Container Scan | |
| permissions: | |
| contents: read | |
| on: | |
| schedule: | |
| - cron: '0 6 * * 1' # weekly Monday 06:00 UTC | |
| jobs: | |
| grype: | |
| name: Container Scan | |
| runs-on: ubuntu-latest | |
| env: | |
| GRYPE_VERSION: "0.112.0" | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6 | |
| - name: Install grype | |
| run: | | |
| cd /tmp | |
| curl -sSfL -o "grype_${GRYPE_VERSION}_linux_amd64.tar.gz" \ | |
| "https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz" | |
| curl -sSfL -o "grype_${GRYPE_VERSION}_checksums.txt" \ | |
| "https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_checksums.txt" | |
| grep "grype_${GRYPE_VERSION}_linux_amd64.tar.gz" "grype_${GRYPE_VERSION}_checksums.txt" | sha256sum --check | |
| tar -xzf "grype_${GRYPE_VERSION}_linux_amd64.tar.gz" -C /usr/local/bin grype | |
| # Single scan — fail on high+, emit template report and JSON in one pass. | |
| # SARIF upload intentionally omitted — OS-layer CVEs are triaged with application | |
| # context; uploading creates misleading noise in the GitHub Security tab. | |
| - name: Scan image | |
| if: always() | |
| run: | | |
| grype ghcr.io/coopernetes/git-proxy-java:latest \ | |
| --config .grype.yaml \ | |
| -o "template=grype-report.txt" \ | |
| -o "json=grype-report.json" | |
| - name: Upload scan reports | |
| if: always() | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # ratchet:actions/upload-artifact@v7 | |
| with: | |
| name: grype-container-scan | |
| path: | | |
| grype-report.txt | |
| grype-report.json | |
| retention-days: 30 |