diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d01e016..c99d6e3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -90,30 +90,28 @@ jobs: load: true tags: ${{ steps.docker-meta.outputs.tags }} labels: ${{ steps.docker-meta.outputs.labels }} - - - name: Dockle scan + - + name: Dockle scan uses: erzz/dockle-action@v1 with: - image: "ghcr.io/${{ env.IMAGE_STAGING }}:${{ env.PGBOUNCER_VERSION}}" + image: "ghcr.io/${{ env.IMAGE_STAGING }}:${{ env.PGBOUNCER_VERSION }}" exit-code: '1' failure-threshold: WARN accept-keywords: key - #accept-filenames: usr/share/cmake/Templates/Windows/Windows_TemporaryKey.pfx,etc/trusted-key.key,usr/share/doc/perl-IO-Socket-SSL/certs/server_enc.p12,usr/share/doc/perl-IO-Socket-SSL/certs/server.p12,usr/local/lib/python3.9/dist-packages/azure/core/settings.py,usr/local/lib/python3.8/site-packages/azure/core/settings.py,usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,usr/local/lib/python3.7/dist-packages/azure/core/settings.py,etc/ssl/private/ssl-cert-snakeoil.key,usr/lib/python3.9/site-packages/azure/core/settings.py - - - name: Run Snyk to check Docker image for vulnerabilities + - + name: Run Snyk to check Docker image for vulnerabilities uses: snyk/actions/docker@master continue-on-error: true env: SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} with: - image: "ghcr.io/${{ env.IMAGE_STAGING }}:${{ env.PGBOUNCER_VERSION}}" + image: "ghcr.io/${{ env.IMAGE_STAGING }}:${{ env.PGBOUNCER_VERSION }}" args: --severity-threshold=high --file=${{ matrix.file }} - - - name: Upload result to GitHub Code Scanning + - + name: Upload result to GitHub Code Scanning uses: github/codeql-action/upload-sarif@v2 with: sarif_file: snyk.sarif - - name: Build and push uses: docker/build-push-action@v5