From 0e6149ca4f3a341865cad3098f8d1bbafee9702d Mon Sep 17 00:00:00 2001 From: Tom Martensen Date: Mon, 9 Dec 2024 12:51:26 +0100 Subject: [PATCH] initial debug --- .github/workflows/lint.yml | 58 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 .github/workflows/lint.yml diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..51b92ad --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,58 @@ +name: Debug sarif +on: + push: + +jobs: + scan-images-with-roxctl: + name: Check images for vulnerabilities + runs-on: ubuntu-latest + permissions: + # Needed for stackrox/central-login to create the JWT token. + id-token: write + security-events: write + strategy: + fail-fast: false + matrix: + image: + [ + "central-db", + "collector", + "collector-slim", + "main", + "roxctl", + "scanner", + "scanner-db", + "scanner-db-slim", + "scanner-slim", + "stackrox-operator", + ] + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Central login + uses: stackrox/central-login@v1 + with: + endpoint: ${{ vars.ACS_DOGFOODING_CENTRAL_URL }} + skip-tls-verify: true + + - name: Install roxctl + uses: stackrox/roxctl-installer-action@v1 + with: + central-endpoint: ${{ vars.ACS_DOGFOODING_CENTRAL_URL }} + central-token: ${{ env.ROX_API_TOKEN }} + skip-tls-verify: true + + - name: Scan images for vulnerabilities + run: | + release_tag=4.6.0 + roxctl image scan --retries=10 --retry-delay=15 --force --severity=CRITICAL,IMPORTANT --output=sarif \ + --image="quay.io/rhacs-eng/${{ matrix.image }}:${release_tag}" --insecure-skip-tls-verify \ + > results.sarif + cat results.sarif >> "${GITHUB_STEP_SUMMARY}" + + - name: Upload roxctl scan results to GitHub Security tab number one + uses: github/codeql-action/upload-sarif@v3 + with: + category: ${{ matrix.image }} + sarif_file: results.sarif