ci: add upload and output of sarif report (#324)

ory · Nov 15, 2023 · 58e02e9 · 58e02e9
1 parent 33a62bb
commit 58e02e9
Showing 1 changed file with 20 additions and 5 deletions.
diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml
@@ -22,12 +22,27 @@ jobs:
       - name: Build images
         shell: bash
         run: |
-          touch ory
-          DOCKER_BUILDKIT=1 docker build -f .docker/Dockerfile-alpine -t oryd/ory:test-vulns .
-          rm ory
+          make docker
       - name: Scan image
+        id: scan
         uses: anchore/scan-action@v3
         with:
-          image: oryd/ory:test-vulns
+          image: oryd/ory:latest-sqlite
+          fail-build: false
+          severity-cutoff: critical
+          add-cpes-if-none: true
+      - name: Inspect action SARIF report
+        run: cat ${{ steps.scan.outputs.sarif }}      
+      - name: Upload SARIF report
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+      - name: Inspect scan result
+        id: report
+        uses: anchore/scan-action@v3
+        with:
+          image: oryd/ory:latest-sqlite
+          output-format: table
           fail-build: true
-          severity-cutoff: high
+          severity-cutoff: critical
+          add-cpes-if-none: true