Add Anchore Go dependency security scanning

Scan Go dependencies for known vulnerabilities. Run on PRs to gate on vulns negligible or higher. Also run on merges to devel and release branches to report results on the GitHub Code Scanning tab. Relates-to: submariner-io/submariner#794 Signed-off-by: Daniel Farrell <[email protected]>
dfarrell07 · Aug 17, 2022 · d125a29 · d125a29
1 parent e93bc3c
commit d125a29
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 0 deletions.
diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml
@@ -93,6 +93,28 @@ jobs:
       - name: Run packagedoc-lint
         run: make packagedoc-lint
 
+  vulnerability-scan:
+    name: Vulnerability Scanning
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      - name: Run Anchore vulnerability scanner
+        uses: anchore/scan-action@516844f15d82b6cdd0765b87aab79ed3ac006225
+        id: scan
+        with:
+          path: "."
+          fail-build: true
+          severity-cutoff: negligible
+      - name: Show Anchore scan SARIF report
+        if: always()
+        run: cat ${{ steps.scan.outputs.sarif }}
+      - name: Upload Anchore scan SARIF report
+        if: always()
+        uses: github/codeql-action/upload-sarif@0c670bbf0414f39666df6ce8e718ec5662c21e03
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+
   yaml-lint:
     name: YAML
     runs-on: ubuntu-latest

diff --git a/.github/workflows/report.yml b/.github/workflows/report.yml
@@ -0,0 +1,29 @@
+---
+name: Reporting
+
+on:
+  push:
+    branches:
+      - devel
+      - release-*
+
+jobs:
+  vulnerability-scan:
+    name: Vulnerability Scanning
+    if: github.repository_owner == 'submariner-io'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repository
+        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      - name: Run Anchore vulnerability scanner
+        uses: anchore/scan-action@516844f15d82b6cdd0765b87aab79ed3ac006225
+        id: scan
+        with:
+          path: "."
+          fail-build: false
+      - name: Show Anchore scan SARIF report
+        run: cat ${{ steps.scan.outputs.sarif }}
+      - name: Upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@0c670bbf0414f39666df6ce8e718ec5662c21e03
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}