CI: improve Docker build

2025-08-26 16:38:24 +02:00
parent aea754aacb
commit 40524599c9
2 changed files with 153 additions and 29 deletions
--- a/.github/workflows/docker-scan.yml
+++ b/.github/workflows/docker-scan.yml
@@ -0,0 +1,98 @@
+name: Docker Image Grype scan
+
+on:
+  push:
+    branches: [master]
+    tags:
+      - '*'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  wait-for-build:
+    name: Wait for build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            release-assets.githubusercontent.com:443
+            index.rubygems.org:443
+            rubygems.org:443
+
+      - name: Wait for build
+        uses: lewagon/wait-on-check-action@0dceb95e7c4cad8cc7422aee3885998f5cab9c79  # v1.4.0
+        with:
+          ref: ${{ github.ref }}
+          check-name: 'build'
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          wait-interval: 15
+          allowed-conclusions: success,skipped
+
+  docker:
+    needs: wait-for-build
+    permissions:
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    runs-on: ubuntu-latest
+    steps:
+      - 
+        name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            auth.docker.io:443
+            files.pythonhosted.org:443
+            github.com:443
+            grype.anchore.io:443
+            objects.githubusercontent.com:443
+            production.cloudflare.docker.com:443
+            pypi.org:443
+            raw.githubusercontent.com:443
+            registry-1.docker.io:443
+            release-assets.githubusercontent.com:443
+      -
+        name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+      -
+        name: Build
+        id: docker_build
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          push: false
+          load: true
+          tags: localbuild/testimage:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+      -
+        name: Generate SBOM and upload dependency results
+        uses: anchore/sbom-action@da167eac915b4e86f08b264dbdbc867b61be6f0c # v0.20.5
+        with:
+          image: localbuild/testimage:latest
+          artifact-name: "${{ github.event.repository.name }}.cyclonedx-sbom.json"
+          output-file: "/tmp/${{ github.event.repository.name }}.cyclonedx-sbom.json"
+          dependency-snapshot: false
+          format: cyclonedx-json
+          upload-artifact: true
+      -
+        name: Scan SBOM
+        uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1
+        id: scan
+        with:
+          add-cpes-if-none: true
+          fail-build: false
+          sbom: "/tmp/${{ github.event.repository.name }}.cyclonedx-sbom.json"
+          output-format: sarif
+      -
+        name: Upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}