2026-06-23 02:41:18 +00:00
1 changed files with 17 additions and 0 deletions
@@ -67,11 +67,28 @@ jobs:
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

+      - name: Scan Docker image
+        uses: anchore/scan-action@v5
+        id: scan
+        env:
+          GRYPE_CONFIG: .grype.yaml
+        with:
+          image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
+          fail-build: true
+          severity-cutoff: high
+          only-fixed: "true"
+          output-format: sarif
+
      - name: Push Docker image
        uses: docker/build-push-action@v6
        with:
          context: .
          push: true
+          # CAR-1446: git.farh.net does not support OCI referrers (distribution spec
+          # >=1.1 required for attestation push). Enabling provenance:true/sbom:true
+          # would cause the push to fail on the referrer PUT. The Grype scan step
+          # above is the compensating control — it fails the build on any unfixed
+          # high-severity CVE before the image reaches the registry.
          provenance: false
          sbom: false
          tags: ${{ steps.meta.outputs.tags }}