From c8e5a13e8c53e79db6746e8e83cfb5bcca7a2f77 Mon Sep 17 00:00:00 2001 From: Andreas Bucksteeg Date: Mon, 18 Nov 2024 17:07:30 +0100 Subject: [PATCH] chore: clean up --- .github/workflows/cve-scan-old.yaml | 94 ----------------------------- 1 file changed, 94 deletions(-) delete mode 100644 .github/workflows/cve-scan-old.yaml diff --git a/.github/workflows/cve-scan-old.yaml b/.github/workflows/cve-scan-old.yaml deleted file mode 100644 index ea1fe8df7..000000000 --- a/.github/workflows/cve-scan-old.yaml +++ /dev/null @@ -1,94 +0,0 @@ -name: Docker Image Scanners -on: - push: - branches: - - "master" - tags: - - "v*.*.*" - pull_request: - branches: - - "master" - merge_group: - -jobs: - scanners: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v3 - - name: Setup Env - id: vars - shell: bash - run: | - echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}" - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 - - name: Build images - shell: bash - run: | - IMAGE_TAG="${{ env.SHA_SHORT }}" make docker - - name: Anchore Scanner - uses: anchore/scan-action@v3 - id: grype-scan - with: - image: oryd/keto:${{ env.SHA_SHORT }} - fail-build: true - severity-cutoff: high - add-cpes-if-none: true - - name: Inspect action SARIF report - shell: bash - if: ${{ always() }} - run: | - echo "::group::Anchore Scan Details" - jq '.runs[0].results' ${{ steps.grype-scan.outputs.sarif }} - echo "::endgroup::" - - name: Anchore upload scan SARIF report - if: always() - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: ${{ steps.grype-scan.outputs.sarif }} - # - name: Kubescape scanner - # uses: kubescape/github-action@main - # id: kubescape - # with: - # image: oryd/keto:${{ env.SHA_SHORT }} - # verbose: true - # format: pretty-printer - # # can't whitelist CVE yet: https://github.com/kubescape/kubescape/pull/1568 - # severityThreshold: critical - - name: Trivy Scanner - uses: aquasecurity/trivy-action@master - if: ${{ always() }} - with: - image-ref: oryd/keto:${{ env.SHA_SHORT }} - format: "table" - exit-code: "42" - ignore-unfixed: true - vuln-type: "os,library" - severity: "CRITICAL,HIGH" - scanners: "vuln,secret,config" - - name: Dockle Linter - uses: erzz/dockle-action@v1.3.2 - if: ${{ always() }} - with: - image: oryd/keto:${{ env.SHA_SHORT }} - exit-code: 42 - failure-threshold: high - - name: Hadolint - uses: hadolint/hadolint-action@v3.1.0 - id: hadolint - if: ${{ always() }} - with: - dockerfile: .docker/Dockerfile-build - verbose: true - format: "json" - failure-threshold: "error" - - name: View Hadolint results - if: ${{ always() }} - shell: bash - run: | - echo "::group::Hadolint Scan Details" - echo "${HADOLINT_RESULTS}" | jq '.' - echo "::endgroup::"