Merge pull request #19 from dangeroustech/biodrone/issue11

Integrate Grype for Scanning
2025-12-06 00:56:58 +00:00 · 2023-09-22 21:44:42 +01:00
parent 9cc7d36434 89e29531f0
commit 1c41eb9e1b
1 changed files with 22 additions and 11 deletions
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -35,6 +35,28 @@ jobs:
          push: true
          tags: registry.dangerous.tech/dangeroustech/zerotierbridge:latest

+      - name: Generate SBOM
+        uses: anchore/sbom-action@v0
+        id: sbom
+        with:
+          image: registry.dangerous.tech/dangeroustech/zerotierbridge:latest
+          registry-username: ${{ secrets.REGISTRY_USERNAME }}
+          registry-password: ${{ secrets.REGISTRY_PASSWORD }}
+          format: spdx-json
+          output-file: ./sbom.spdx.json
+
+      - name: Scan SBOM
+        uses: anchore/scan-action@v3
+        id: scan
+        with:
+          sbom: sbom.spdx.json
+          fail-build: false
+
+      - name: upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+
      - name: Changelog
        uses: TriPSs/conventional-changelog-action@v3
        id: changelog
@@ -48,17 +70,6 @@ jobs:
          release-count: 0 # preserve all versions in changelog
          skip-on-empty: false # otherwise we don't publish fixes

-      - name: Generate SBOM
-        uses: anchore/sbom-action@v0
-        id: sbom
-        if: ${{ steps.changelog.outputs.skipped == 'false' }}
-        with:
-          image: registry.dangerous.tech/dangeroustech/zerotierbridge:latest
-          registry-username: ${{ secrets.REGISTRY_USERNAME }}
-          registry-password: ${{ secrets.REGISTRY_PASSWORD }}
-          format: spdx-json
-          output-file: ./sbom.spdx.json
-
      - name: Create Release
        uses: softprops/action-gh-release@v1
        id: release