Merge pull request 'ci(auth): add Grype scan step; document provenance/sbom OCI referrer limitation (CAR-1446)' (#52) from betty/car-1446-sbom-provenance-scan into dev
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / deploy-dev (push) Has been cancelled
CI / deploy-uat (push) Has been cancelled
CI / build-and-push (push) Has been cancelled
CI / build-and-push (pull_request) Has been skipped
CI / deploy-dev (pull_request) Has been skipped
CI / deploy-uat (pull_request) Has been skipped
CI / deploy-dev (push) Has been cancelled
CI / deploy-uat (push) Has been cancelled
CI / build-and-push (push) Has been cancelled
ci(auth): add Grype scan step; document provenance/sbom OCI referrer limitation (CAR-1446) Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit was merged in pull request #52.
This commit is contained in:
@@ -67,11 +67,28 @@ jobs:
|
||||
tags: ${{ steps.meta.outputs.tags }}
|
||||
labels: ${{ steps.meta.outputs.labels }}
|
||||
|
||||
- name: Scan Docker image
|
||||
uses: anchore/scan-action@v5
|
||||
id: scan
|
||||
env:
|
||||
GRYPE_CONFIG: .grype.yaml
|
||||
with:
|
||||
image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
|
||||
fail-build: true
|
||||
severity-cutoff: high
|
||||
only-fixed: "true"
|
||||
output-format: sarif
|
||||
|
||||
- name: Push Docker image
|
||||
uses: docker/build-push-action@v6
|
||||
with:
|
||||
context: .
|
||||
push: true
|
||||
# CAR-1446: git.farh.net does not support OCI referrers (distribution spec
|
||||
# >=1.1 required for attestation push). Enabling provenance:true/sbom:true
|
||||
# would cause the push to fail on the referrer PUT. The Grype scan step
|
||||
# above is the compensating control — it fails the build on any unfixed
|
||||
# high-severity CVE before the image reaches the registry.
|
||||
provenance: false
|
||||
sbom: false
|
||||
tags: ${{ steps.meta.outputs.tags }}
|
||||
|
||||
Reference in New Issue
Block a user