Skip to content

Container Scans

Container Scans #816

Workflow file for this run

name: Container Scans
permissions:
actions: read
contents: write # for sbom-action artifact uploads
on:
push:
branches:
- main
pull_request:
branches:
- main
merge_group:
paths-ignore:
- "LICENSE"
- "CODEOWNERS"
jobs:
container-scans:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Use Node.js latest
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 20
cache: "npm"
- name: Install Pepr Dependencies
run: npm ci
- name: Build Pepr Controller Image
run: npm run build:image
- name: Configure Grype Ignore File
run: |
mkdir -p ~/.grype
echo "ignore:" > ~/.grype.yaml
echo " - vulnerability: GHSA-3xgq-45jj-v275" >> ~/.grype.yaml
- name: Vulnerability Scan
uses: anchore/scan-action@869c549e657a088dc0441b08ce4fc0ecdac2bb65 # v5.3.0
with:
image: "pepr:dev"
fail-build: true
severity-cutoff: high
- name: Generate SBOM
uses: anchore/sbom-action@55dc4ee22412511ee8c3142cbea40418e6cec693 # v0.17.8
with:
image: pepr:dev
upload-artifact: true
upload-artifact-retention: 30