37 lines
882 B
YAML
37 lines
882 B
YAML
name: Vulnerability Scan
|
|
# Secrets can only viewed in "push" events. Not pull_request events.
|
|
# That's why this step needs to be called on push, and not on pull_request (to read npm password).
|
|
|
|
on:
|
|
workflow_call:
|
|
|
|
jobs:
|
|
|
|
push-container-scan:
|
|
runs-on: ubuntu-22.04
|
|
|
|
steps:
|
|
|
|
- uses: actions/checkout@v4
|
|
|
|
- uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 22
|
|
registry-url: ${{ vars.NPM_REGISTRY }}
|
|
token: ${{ secrets.NPM_TOKEN }}
|
|
|
|
- name: Install npm dependencies
|
|
run: |
|
|
npm install -g pnpm
|
|
pnpm install
|
|
|
|
- name: Scan container image for vulnerabilities with grype
|
|
uses: anchore/scan-action@v6
|
|
with:
|
|
path: "."
|
|
cache-db: true #Cache Grype DB in Github Actions
|
|
output-format: table
|
|
only-fixed: true
|
|
severity-cutoff: critical
|
|
fail-build: true
|