cartsnitch/auth
12
0
Fork 1
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity

ci(auth): add Grype scan step; document provenance/sbom OCI referrer limitation (CAR-1446) #52

Merged
Barcode Betty merged 1 commits from betty/car-1446-sbom-provenance-scan into dev 2026-06-23 02:41:18 +00:00
Conversation 0 Commits 1 Files Changed 1
+17
1 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/ci.yml
+17
View File
@@ -67,11 +67,28 @@ jobs:
tags: ${{ steps.meta.outputs.tags }} tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }} labels: ${{ steps.meta.outputs.labels }}
- name: Scan Docker image
uses: anchore/scan-action@v5
id: scan
env:
GRYPE_CONFIG: .grype.yaml
with:
image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}"
fail-build: true
severity-cutoff: high
only-fixed: "true"
output-format: sarif
- name: Push Docker image - name: Push Docker image
uses: docker/build-push-action@v6 uses: docker/build-push-action@v6
with: with:
context: . context: .
push: true push: true
# CAR-1446: git.farh.net does not support OCI referrers (distribution spec
# >=1.1 required for attestation push). Enabling provenance:true/sbom:true
# would cause the push to fail on the referrer PUT. The Grype scan step
# above is the compensating control — it fails the build on any unfixed
# high-severity CVE before the image reaches the registry.
provenance: false provenance: false
sbom: false sbom: false
tags: ${{ steps.meta.outputs.tags }} tags: ${{ steps.meta.outputs.tags }}