feat(docker): generate SBOM/provenance for the Docker image

orhun · Apr 3, 2023 · 2ef259e · 2ef259e
1 parent ed389b7
commit 2ef259e
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -77,9 +77,16 @@ jobs:
           builder: ${{ steps.buildx.outputs.name }}
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
+          sbom: true
+          provenance: true
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=local,src=/tmp/.buildx-cache
           cache-to: type=local,dest=/tmp/.buildx-cache
 
+      - name: Scan the image
+        uses: anchore/sbom-action@v0
+        with:
+          image: ghcr.io/${{ github.repository_owner }}/git-cliff/git-cliff
+
       - name: Image digest
         run: echo ${{ steps.docker_build.outputs.digest }}