Skip to content

Bump detect-secrets from 1.4.0 to 1.5.0 #180

Bump detect-secrets from 1.4.0 to 1.5.0

Bump detect-secrets from 1.4.0 to 1.5.0 #180

Workflow file for this run

name: "Syft & Grype SBOM and Vuln Scan"
on:
pull_request:
branches: [ master ]
jobs:
Anchore-Syft-Grype:
runs-on: ubuntu-latest
steps:
# Checkout le branch
- name: Checkout
uses: actions/checkout@v4
# Build the ElectricEye Docker Image, locally
- name: Build ElectricEye Docker Image
run: docker build . --file Dockerfile --tag localbuild/electriceye:latest
# Generate an CycloneDX JSON SBOM with Syft on the Image
- name: Generate CDX SBOM
uses: anchore/sbom-action@v0
with:
image: localbuild/electriceye:latest
format: cyclonedx-json # the One True SBOM Format
artifact-name: "${{ github.event.repository.name }}-sbom.spdx.json"
output-file: "${{ github.event.repository.name }}-sbom.spdx.json"
# Print SBOM to stdout
- name: SBOM Printer Goes Brrrr
run: cat "${{ github.event.repository.name }}-sbom.spdx.json"
# Scan the CDX SBOM with Grype
- name: Grype Scan SBOM
uses: anchore/[email protected]
id: scan
with:
output-format: sarif
sbom: "${{ github.event.repository.name }}-sbom.spdx.json"
severity-cutoff: critical
fail-build: true
only-fixed: true
# Print Grype SARIF Report to stdout
- name: View Grype Scan SBOM Report
if: always() # run when build fails too
run: cat "${{ steps.scan.outputs.sarif }}"
# Upload Grype SARIF Report to GitHub Security
- name: Upload Grype Scan SBOM Report
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.scan.outputs.sarif }}