ci(GITHUB): expose anchore scan options

cicd-tools-org · Jul 24, 2024 · 176414e · 176414e
1 parent 1138607
commit 176414e
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 2 deletions.
diff --git a/.github/workflows/job-10-container-security_scan_container.yml b/.github/workflows/job-10-container-security_scan_container.yml
@@ -22,6 +22,21 @@ on:
         description: "Optional, allows you define where the Dockerfile is located with respect to the context."
         required: false
         type: string
+      FAIL_BUILD:
+        default: false
+        description: "Optional, allows you to fail the build if security vulnerabilities are detected above the threshold."
+        required: false
+        type: boolean
+      FAIL_THRESHOLD:
+        default: "critical"
+        description: "Optional, specifies the vulnerability level that can trigger a failed build. (Valid values are: 'critical', 'high', 'medium', 'low' or 'negligible')"
+        required: false
+        type: string
+      FIXED_ONLY:
+        default: false
+        description: "Optional, allows you to filter the report by vulnerabilities that have been patched and have a fixed version made available."
+        required: false
+        type: boolean
       IMAGE_NAME:
         default: ""
         description: "Optional, allows you to specify the image name, otherwise the configured script will generate one."
@@ -146,9 +161,10 @@ jobs:
         id: scan
         uses: anchore/scan-action@v3
         with:
-          fail-build: true
+          fail-build: ${{ inputs.FAIL_BUILD }}
           image: localbuild/test:${{ env.BRANCH_OR_TAG }}
-          severity-cutoff: critical
+          only-fixed: ${{ inputs.FIXED_ONLY }}
+          severity-cutoff: ${{ inputs.FAIL_THRESHOLD }}
 
       - name: Container Scan -- Upload SARIF Report
         uses: github/codeql-action/upload-sarif@v3

diff --git a/.github/workflows/workflow-container-multiarch.yml b/.github/workflows/workflow-container-multiarch.yml
@@ -72,6 +72,9 @@ jobs:
     with:
       BUILD_ARGS: ${{ matrix.build-args }}
       CONTEXT: .cicd-tools/container
+      FAIL_BUILD: true
+      FAIL_THRESHOLD: "critical"
+      FIXED_ONLY: true
       IMAGE_TAG: ${{ matrix.build-tag }}
       PLATFORM: ${{ matrix.build-platform }}
       REQUIRES_QEMU: true

diff --git a/.vale/Vocab/cicd-tools/accept.txt b/.vale/Vocab/cicd-tools/accept.txt
@@ -1,3 +1,4 @@
+anchore
 codebase's
 mac_maker
 tmate