name: Docker Image Grype scan

on:
  push:
    branches: [master]
    tags:
      - '*'
  workflow_dispatch:

permissions:
  contents: read

jobs:
  wait-for-build:
    name: Wait for build
    runs-on: ubuntu-latest
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
        with:
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            github.com:443
            release-assets.githubusercontent.com:443
            index.rubygems.org:443
            rubygems.org:443

      - name: Wait for build
        uses: lewagon/wait-on-check-action@0dceb95e7c4cad8cc7422aee3885998f5cab9c79  # v1.4.0
        with:
          ref: ${{ github.ref }}
          check-name: 'build'
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          wait-interval: 15
          allowed-conclusions: success,skipped

  docker:
    needs: wait-for-build
    permissions:
      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
    runs-on: ubuntu-latest
    steps:
      - 
        name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
        with:
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            auth.docker.io:443
            files.pythonhosted.org:443
            github.com:443
            grype.anchore.io:443
            objects.githubusercontent.com:443
            production.cloudflare.docker.com:443
            pypi.org:443
            raw.githubusercontent.com:443
            registry-1.docker.io:443
            release-assets.githubusercontent.com:443
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
      -
        name: Build
        id: docker_build
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          push: false
          load: true
          tags: localbuild/testimage:latest
          cache-from: type=gha
          cache-to: type=gha,mode=max
      -
        name: Generate SBOM and upload dependency results
        uses: anchore/sbom-action@da167eac915b4e86f08b264dbdbc867b61be6f0c # v0.20.5
        with:
          image: localbuild/testimage:latest
          artifact-name: "${{ github.event.repository.name }}.cyclonedx-sbom.json"
          output-file: "/tmp/${{ github.event.repository.name }}.cyclonedx-sbom.json"
          dependency-snapshot: false
          format: cyclonedx-json
          upload-artifact: true
      -
        name: Scan SBOM
        uses: anchore/scan-action@1638637db639e0ade3258b51db49a9a137574c3e # v6.5.1
        id: scan
        with:
          add-cpes-if-none: true
          fail-build: false
          sbom: "/tmp/${{ github.event.repository.name }}.cyclonedx-sbom.json"
          output-format: sarif
      -
        name: Upload Anchore scan SARIF report
        uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}