Bump detect-secrets from 1.4.0 to 1.5.0 #180
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Syft & Grype SBOM and Vuln Scan" | |
on: | |
pull_request: | |
branches: [ master ] | |
jobs: | |
Anchore-Syft-Grype: | |
runs-on: ubuntu-latest | |
steps: | |
# Checkout le branch | |
- name: Checkout | |
uses: actions/checkout@v4 | |
# Build the ElectricEye Docker Image, locally | |
- name: Build ElectricEye Docker Image | |
run: docker build . --file Dockerfile --tag localbuild/electriceye:latest | |
# Generate an CycloneDX JSON SBOM with Syft on the Image | |
- name: Generate CDX SBOM | |
uses: anchore/sbom-action@v0 | |
with: | |
image: localbuild/electriceye:latest | |
format: cyclonedx-json # the One True SBOM Format | |
artifact-name: "${{ github.event.repository.name }}-sbom.spdx.json" | |
output-file: "${{ github.event.repository.name }}-sbom.spdx.json" | |
# Print SBOM to stdout | |
- name: SBOM Printer Goes Brrrr | |
run: cat "${{ github.event.repository.name }}-sbom.spdx.json" | |
# Scan the CDX SBOM with Grype | |
- name: Grype Scan SBOM | |
uses: anchore/[email protected] | |
id: scan | |
with: | |
output-format: sarif | |
sbom: "${{ github.event.repository.name }}-sbom.spdx.json" | |
severity-cutoff: critical | |
fail-build: true | |
only-fixed: true | |
# Print Grype SARIF Report to stdout | |
- name: View Grype Scan SBOM Report | |
if: always() # run when build fails too | |
run: cat "${{ steps.scan.outputs.sarif }}" | |
# Upload Grype SARIF Report to GitHub Security | |
- name: Upload Grype Scan SBOM Report | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: ${{ steps.scan.outputs.sarif }} |