chore(deps): update Grype to v0.81.0 #1168
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Tests" | |
on: | |
workflow_dispatch: | |
pull_request: | |
push: | |
branches: | |
- main | |
jobs: | |
build: # make sure build/ci work properly and there is no faked build ncc built scripts | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- run: npm ci | |
- run: npm run audit | |
- run: npm run build | |
- run: git status --porcelain | |
- run: git diff | |
- run: git diff --exit-code | |
test: | |
runs-on: ubuntu-latest | |
services: | |
registry: | |
image: registry:2 | |
ports: | |
- 5000:5000 | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Build images | |
run: | | |
for distro in alpine centos debian; do | |
docker build -t localhost:5000/match-coverage/$distro ./tests/fixtures/image-$distro-match-coverage | |
docker push localhost:5000/match-coverage/$distro:latest | |
done | |
- name: Inspect | |
run: | | |
docker images -a | |
for distro in alpine centos debian; do | |
docker buildx imagetools inspect localhost:5000/match-coverage/$distro:latest | |
done | |
- run: npm ci | |
- run: npm run audit | |
- run: npm test | |
test-download-action: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
path: ./ | |
- name: "Donwload Grype v0.54.0" | |
uses: ./download-grype # anchore/scan-action/download-grype | |
with: | |
grype-version: v0.54.0 | |
- name: "Check Grype version before scan-action" | |
run: grype version | egrep "^Version:.*0.54.0$" | |
- name: "Scan test image" | |
uses: ./ | |
with: | |
image: "alpine:latest" | |
grype-version: v0.54.0 # set the same version to test that current Grype binary wasn't overwritten by the latest version | |
fail-build: false # to prevent fail due to vuln:s on test image | |
- name: "Check Grype version after scan-action" | |
run: grype version | egrep "^Version:.*0.54.0$" | |
test-all: | |
strategy: | |
matrix: | |
config: [ | |
{image: 'alpine:latest'}, | |
{path: 'tests/fixtures/npm-project'}, | |
{sbom: 'tests/fixtures/test_sbom.spdx.json'}, | |
] | |
os: [ubuntu-latest, windows-latest, macos-latest] | |
output-format: [sarif, json, table] | |
runs-on: ${{ matrix.os }} | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- uses: ./ | |
id: scan | |
with: | |
image: ${{ matrix.config.image }} | |
path: ${{ matrix.config.path }} | |
sbom: ${{ matrix.config.sbom }} | |
output-format: ${{ matrix.output-format }} | |
fail-build: false | |
- name: Validate file exists | |
if: ${{ matrix.output-format != 'table' }} | |
run: test -f '${{ steps.scan.outputs[matrix.output-format] }}' |