Skip to content

Anchore-Container-Scan #95

Anchore-Container-Scan

Anchore-Container-Scan #95

name: Anchore-Container-Scan
# Controls when the action will run.
on:
# Triggers the workflow on push or pull request events but only for the master branch
push:
branches: [ master ]
pull_request:
branches: [ master ]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
scan:
# The type of runner that the job will run on
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
FROM:
- 'ubuntu:mantic'
- 'ubuntu:jammy'
- 'ubuntu:focal'
- 'ubuntu:bionic'
- 'linuxmintd/mint21.1-amd64'
- 'linuxmintd/mint21-amd64'
- 'linuxmintd/mint20-amd64'
- 'debian:bookworm'
- 'debian:bullseye'
#- 'debian:buster' # buster-backports is no longer available from deb.debian.org. Sunsetting?
- 'opensuse/leap:15.5'
- 'opensuse/leap:15.4'
- 'opensuse/leap:15.3'
- 'opensuse/leap:15.2'
- 'fedora:40'
- 'fedora:39'
- 'fedora:38'
- 'fedora:37'
- 'fedora:36'
- 'fedora:35'
- 'fedora:34'
- 'rockylinux:9.3'
- 'rockylinux:9.2'
- 'rockylinux:9.1'
- 'rockylinux:9.0'
- 'rockylinux:8.9'
- 'rockylinux:8.8'
- 'rockylinux:8.7'
- 'rockylinux:8.6'
- 'rockylinux:8.5'
- 'manjarolinux/base'
#- 'funtoo/stage3-generic_64'
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f #v4.1.3
with:
fetch-depth: 2
submodules: false
# - name: Run CI
# env:
# FROM: ${{ matrix.FROM }}
# MY_OS_NAME: linux
# IS_RELEASE: 0
# run: script/cibuild
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb #v3.3.0
env:
FROM: ${{ matrix.FROM }}
MY_OS_NAME: linux
IS_RELEASE: 0
- name: build local container
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 #v5.3.0
env:
FROM: ${{ matrix.FROM }}
MY_OS_NAME: linux
IS_RELEASE: 0
with:
build-args: from=${{ matrix.FROM }}
tags: localbuild/${{ matrix.FROM }}
push: false
load: true
- name: Scan image
uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a #v3.6.4
with:
image: "localbuild/${{ matrix.FROM }}"
fail-build: false
severity-cutoff: critical