Add Anchore image scan (#14)

* Add image scan to deb * Upload Anchore * Add image scan to build * Fix scan report uploading * Enable acs report * Increase severity cutoff to crtitical * Fix scan for build * Fix typo * Fix build local registry
2026-01-18 14:44:41 +01:00 · 2020-11-20 00:13:57 -08:00
parent f0d653fb78
commit 36f0935346
2 changed files with 50 additions and 2 deletions
--- a/.github/workflows/deb.yaml
+++ b/.github/workflows/deb.yaml
@@ -36,13 +36,33 @@ jobs:
          images: ${{ steps.repo.outputs.repo }}
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
+      - name: Build image without push
+        uses: docker/build-push-action@v2
+        with:
+          context: ./deb
+          file: ./deb/Dockerfile
+          load: true
+          tags: protonmail-bridge:latest
+      - name: Scan image
+        id: scan
+        uses: anchore/scan-action@v2
+        with:
+          image: protonmail-bridge:latest
+          fail-build: true
+          severity-cutoff: critical
+          acs-report-enable: true
+      - name: Upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
      - name: Login to DockerHub
        uses: docker/login-action@v1
        if: ${{ github.event_name != 'pull_request' }}
        with:
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}
-      - uses: docker/build-push-action@v2
+      - name: Push image
+        uses: docker/build-push-action@v2
        with:
          context: ./deb
          file: ./deb/Dockerfile