diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml new file mode 100644 index 000000000..05ef3e033 --- /dev/null +++ b/.github/workflows/scan.yml @@ -0,0 +1,48 @@ +name: Scan + +on: + schedule: + - cron: "0 6 * * 4" + +jobs: + codeql: + name: CodeQL + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v2 + with: + # We must fetch at least the immediate parents so that if this is + # a pull request then we can checkout the head. + fetch-depth: 2 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + # Override language selection by uncommenting this and choosing your languages + # with: + # languages: go, javascript, csharp, python, cpp, java + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 + + anchore: + name: Anchore Container Scan + runs-on: ubuntu-latest + steps: + - name: Checkout the code + uses: actions/checkout@v2 + + - name: Build the Docker image + run: docker build . --file Dockerfile --tag localbuild/testimage:latest + + - name: Run the local Anchore scan action itself with GitHub Advanced Security code scanning integration enabled + uses: anchore/scan-action@v2 + with: + image: "localbuild/testimage:latest" + acs-report-enable: true + + - name: Upload Anchore Scan Report + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: results.sarif diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 228668571..665a4c766 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -692,15 +692,9 @@ jobs: - name: Set git slug envs uses: rlespinasse/github-slug-action@3.1.0 - - name: Get version - run: | - echo "::stop-commands::`echo -n ${{ github.token }} | sha256sum | head -c 64`" - VERSION=$(make show-version) - echo "::set-env name=VERSION::${VERSION}" - echo "::`echo -n ${{ github.token }} | sha256sum | head -c 64`::" - - name: Build Docker image - run: docker build --build-arg VERSION=${VERSION} -t registry.heroku.com/karma-demo/web -f demo/Dockerfile . + run: docker build --build-arg VERSION=$(make show-version) -t registry.heroku.com/karma-demo/web -f demo/Dockerfile . + shell: bash - name: Write .netrc run: | @@ -739,58 +733,3 @@ jobs: - name: Run e2e test run: make -C ui test-demo - - codeql: - name: CodeQL - if: github.event_name != 'release' - needs: - - cross-compile - - docker - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v2 - with: - # We must fetch at least the immediate parents so that if this is - # a pull request then we can checkout the head. - fetch-depth: 2 - - # If this run was triggered by a pull request event, then checkout - # the head of the pull request instead of the merge commit. - - run: git checkout HEAD^2 - if: github.event_name == 'pull_request' - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v1 - # Override language selection by uncommenting this and choosing your languages - # with: - # languages: go, javascript, csharp, python, cpp, java - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 - - anchore: - name: Anchore Container Scan - if: github.event_name != 'release' - needs: - - cross-compile - - docker - runs-on: ubuntu-latest - steps: - - name: Checkout the code - uses: actions/checkout@v2 - - - name: Build the Docker image - run: docker build . --file Dockerfile --tag localbuild/testimage:latest - - - name: Run the local Anchore scan action itself with GitHub Advanced Security code scanning integration enabled - uses: anchore/scan-action@v2 - with: - image: "localbuild/testimage:latest" - acs-report-enable: true - - - name: Upload Anchore Scan Report - uses: github/codeql-action/upload-sarif@v1 - with: - sarif_file: results.sarif