-
Notifications
You must be signed in to change notification settings - Fork 359
54 lines (52 loc) · 1.56 KB
/
scan-docker-images.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
---
name: "Scan Docker images"
on: # yamllint disable-line rule:truthy
schedule:
- cron: "15 1 * * 0"
jobs:
list-images:
runs-on: ubuntu-latest
outputs:
images: ${{ steps.get-images.outputs.result }}
steps:
- uses: actions/checkout@v4
- name: Parse image list
id: get-images
uses: mikefarah/yq@v4
with:
cmd: |
yq -o=json \
'[with_entries(select(.key | test("_hashed$"))).[].new]' \
tools/scripts/bumpenvs.yaml
scan-images:
needs: list-images
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
image: ${{ fromJSON(needs.list-images.outputs.images) }}
steps:
- name: Free up some space
if: contains(matrix.image, 'cuda-11') || contains(matrix.image, 'rocm')
uses: jlumbroso/free-disk-space@main
with:
tool-cache: true
- uses: actions/checkout@v4
- name: Scan ${{ matrix.image }}
id: scan
continue-on-error: true
uses: anchore/scan-action@v4
with:
image: ${{ matrix.image }}
acs-report-enable: true
fail-build: true
severity-cutoff: high
- name: Print SARIF report for ${{ matrix.image }}
run: cat ${{ steps.scan.outputs.sarif }}
- name: Upload SARIF report for ${{ matrix.image }}
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
- name: Fail job if scan failed
if: steps.scan.outcome == 'failure'
run: exit 1