ci: Add OSV scan to built image #28
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: build dev | |
| # Actions that take place after every commit that's not on either the | |
| # staging ore production branches. | |
| # --------------- | |
| # Control secrets | |
| # --------------- | |
| # | |
| # (none) | |
| # | |
| # ----------- | |
| # Environment (GitHub Environments) | |
| # ----------- | |
| # | |
| # (none) | |
| on: | |
| push: | |
| branches-ignore: | |
| - 'staging' | |
| - 'production' | |
| tags-ignore: | |
| - '**' | |
| env: | |
| # The following 'defaults' are used in the 'Initialise workflow variables' step, | |
| # which creates 'outputs' for use in steps and jobs that follow it. | |
| # The values set here are used unless a matching secret is found. | |
| # Secrets are the way users dynamically control the behaviour of this Action. | |
| # | |
| # For Jobs conditional on the presence of a secret see this Gist... | |
| # https://gist.github.com/jonico/24ffebee6d2fa2e679389fac8aef50a3 | |
| FE_NAMESPACE: xchem | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Inject slug/short variables | |
| uses: rlespinasse/github-slug-action@v4 | |
| - name: Initialise workflow variables | |
| id: vars | |
| run: | | |
| # FE_NAMESPACE | |
| FE_NAMESPACE="${{ env.FE_NAMESPACE }}" | |
| if [ -n "${{ secrets.FE_NAMESPACE }}" ]; then FE_NAMESPACE="${{ secrets.FE_NAMESPACE }}"; fi | |
| echo FE_NAMESPACE=${FE_NAMESPACE} | |
| echo "FE_NAMESPACE=${FE_NAMESPACE}" >> $GITHUB_OUTPUT | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Build | |
| uses: docker/build-push-action@v5 | |
| with: | |
| tags: ${{ steps.vars.outputs.FE_NAMESPACE }}/fragalysis-frontend:${{ env.GITHUB_REF_SLUG }} | |
| - name: Vulnerability Scan (OSV) | |
| # The vulnerability scan (using Google's OSV) | |
| # Allowed to fail (we force true) as it's used for information only | |
| # The generated "Common Vulnerability Scoring System (CVSS)"" values | |
| # are interpreted as... | |
| # | |
| # - None: 0.0 (No impact) | |
| # - Low: 0.1–3.9 (Minor risk) | |
| # - Medium: 4.0–6.9 (Moderate risk) | |
| # - High: 7.0–8.9 (Serious risk) | |
| # - Critical: 9.0–10.0 (Grave, severe risk) | |
| run: | | |
| wget https://github.com/google/osv-scanner/releases/latest/download/osv-scanner_linux_amd64 -O osv-scanner | |
| chmod +x osv-scanner | |
| ./osv-scanner scan image ${{ steps.vars.outputs.FE_NAMESPACE }}/fragalysis-frontend:${{ env.GITHUB_REF_SLUG }} \ | |
| --format markdown --output scan.md || true | |
| cat scan.md >> $GITHUB_STEP_SUMMARY |