Scan all OS-specific binaries from a Linux container.

ActiveState · Aug 27, 2024 · 6410f3e · 6410f3e
1 parent 4eecaab
commit 6410f3e
Showing 1 changed file with 22 additions and 12 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -214,17 +214,6 @@ jobs:
         shell: bash
         run: parallelize results Build-Executor
 
-      - # === Scan for CVEs (Linux only) ===
-        name: Scan for CVEs
-        if: runner.os == 'Linux'
-        uses: aquasecurity/[email protected]
-        with:
-          scan-type: rootfs
-          scan-ref: build
-          ignore-unfixed: true
-          format: table
-          exit-code: 1
-
       - # === Prepare Windows Cert ===
         name: Prepare Windows Cert
         shell: bash
@@ -408,11 +397,32 @@ jobs:
           name: session-build-${{ matrix.sys.os }}
           path: build/
 
+  scan:
+    name: Scan
+    needs:
+      - os_specific
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download All Build Session Artifacts
+        uses: actions/download-artifact@v2
+        with:
+          path: build/
+
+      - name: Scan for CVEs
+        if: runner.os == 'Linux'
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: rootfs
+          scan-ref: build
+          ignore-unfixed: true
+          format: table
+          exit-code: 1
+
   # === Deploy job (runs once with combined artifacts from OS specific job) ===
   deploy:
     name: Deploy
     needs:
-      - os_specific
+      - scan
     runs-on: ubuntu-20.04
     env:
       ACTIVESTATE_CI: true