Skip to content
Scan image vulnerability

Scan image vulnerability #21

Sign in to view logs

Scan image vulnerability

Scan image vulnerability #21

Workflow file for this run

.github/workflows/scan-images.yml at 08f8159
name: Scan image vulnerability
on:
workflow_dispatch:
schedule:
# Sunday, 18:00 JST
- cron: '0 9 * * 0'
permissions:
contents: read
concurrency:
group: ${{ github.head_ref || github.sha }}-${{ github.workflow }}
cancel-in-progress: true
jobs:
gem:
name: Show bundled gems
strategy:
fail-fast: false
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Show bundled gems in Fluentd image
run: |
# v1.19.1-debian-amd64
IMAGE=$(make echo-all-images | cut -d' ' -f1|cut -d',' -f3)
echo "# Show bundled gems in Fluentd image (filter)" >> $GITHUB_STEP_SUMMARY
docker run --rm fluent/fluentd:$IMAGE gem list | grep "," >> $GITHUB_STEP_SUMMARY
echo "# Show all bundled gems in Fluentd image (details)" >> $GITHUB_STEP_SUMMARY
docker run --rm fluent/fluentd:$IMAGE gem list >> $GITHUB_STEP_SUMMARY
fluentd:
name: Scan Fluentd image with grype
strategy:
fail-fast: false
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Pull and scan Fluentd image
run: |
# v1.19.1-debian-amd64
IMAGE=$(make echo-all-images | cut -d' ' -f1|cut -d',' -f3)
echo "# Scan Fluentd image with grype (filter)" >> $GITHUB_STEP_SUMMARY
docker run --rm anchore/grype:latest fluent/fluentd:$IMAGE --ignore-states wont-fix --output json | jq --raw-output '
(["NAME","INSTALLED","FIXED IN","TYPE","VULNERABILITY","SEVERITY"] | join(" | ") | "| " + . + " |"),
(["---","---","---","---","---","---"] | join(" | ") | "| " + . + " |"),
(.matches[]
| select(.vulnerability.severity != "Negligible")
| "| \(.artifact.name) | \(.artifact.version) | \(.vulnerability.fix.versions[0] // (if .vulnerability.fix.state == "not-fixed" then "" else "(" + .vulnerability.fix.state + ")" end)) | \(.artifact.type) | \(.vulnerability.id) | \(.vulnerability.severity)|")
' >> $GITHUB_STEP_SUMMARY
echo "# Scan Fluentd image with grype (details)" >> $GITHUB_STEP_SUMMARY
docker run --rm anchore/grype:latest fluent/fluentd:$IMAGE --output json | jq --raw-output '
(["NAME","INSTALLED","FIXED IN","TYPE","VULNERABILITY","SEVERITY"] | join(" | ") | "| " + . + " |"),
(["---","---","---","---","---","---"] | join(" | ") | "| " + . + " |"),
(.matches[]
| "| \(.artifact.name) | \(.artifact.version) | \(.vulnerability.fix.versions[0] // (if .vulnerability.fix.state == "not-fixed" then "" else "(" + .vulnerability.fix.state + ")" end)) | \(.artifact.type) | \(.vulnerability.id) | \(.vulnerability.severity)|")
' >> $GITHUB_STEP_SUMMARY
ruby:
name: Scan Ruby image with grype
strategy:
fail-fast: false
runs-on: ubuntu-latest
steps:
- name: Pull and scan upstream Ruby image
run: |
docker pull ruby:3.4-slim
echo "# Scan Ruby image with grype (filter)" >> $GITHUB_STEP_SUMMARY
docker run --rm anchore/grype:latest ruby:3.4-slim --ignore-states wont-fix --format json | jq --raw-output '
(["NAME","INSTALLED","FIXED IN","TYPE","VULNERABILITY","SEVERITY"] | join(" | ") | "| " + . + " |"),
(["---","---","---","---","---","---"] | join(" | ") | "| " + . + " |"),
(.matches[]
| select(.vulnerability.severity != "Negligible")
| "| \(.artifact.name) | \(.artifact.version) | \(.vulnerability.fix.versions[0] // (if .vulnerability.fix.state == "not-fixed" then "" else "(" + .vulnerability.fix.state + ")" end)) | \(.artifact.type) | \(.vulnerability.id) | \(.vulnerability.severity)|")
' >> $GITHUB_STEP_SUMMARY
echo "# Scan Ruby image with grype (details)" >> $GITHUB_STEP_SUMMARY
docker run --rm anchore/grype:latest ruby:3.4-slim --output json | jq --raw-output '
(["NAME","INSTALLED","FIXED IN","TYPE","VULNERABILITY","SEVERITY"] | join(" | ") | "| " + . + " |"),
(["---","---","---","---","---","---"] | join(" | ") | "| " + . + " |"),
(.matches[]
| "| \(.artifact.name) | \(.artifact.version) | \(.vulnerability.fix.versions[0] // (if .vulnerability.fix.state == "not-fixed" then "" else "(" + .vulnerability.fix.state + ")" end)) | \(.artifact.type) | \(.vulnerability.id) | \(.vulnerability.severity)|")
' >> $GITHUB_STEP_SUMMARY
debian:
name: Scan debian image with grype
strategy:
fail-fast: false
runs-on: ubuntu-latest
steps:
- name: Pull and scan upstream trixie image
run: |
docker pull debian:trixie
echo "# Scan debian image with grype (filter)" >> $GITHUB_STEP_SUMMARY
docker run --rm anchore/grype:latest debian:trixie --ignore-states wont-fix --output json | jq --raw-output '
(["NAME","INSTALLED","FIXED IN","TYPE","VULNERABILITY","SEVERITY"] | join(" | ") | "| " + . + " |"),
(["---","---","---","---","---","---"] | join(" | ") | "| " + . + " |"),
(.matches[]
| select(.vulnerability.severity != "Negligible")
| "| \(.artifact.name) | \(.artifact.version) | \(.vulnerability.fix.versions[0] // (if .vulnerability.fix.state == "not-fixed" then "" else "(" + .vulnerability.fix.state + ")" end)) | \(.artifact.type) | \(.vulnerability.id) | \(.vulnerability.severity)|")
' >> $GITHUB_STEP_SUMMARY
echo "# Scan debian image with grype (details)" >> $GITHUB_STEP_SUMMARY
docker run --rm anchore/grype:latest debian:trixie --output json | jq --raw-output '
(["NAME","INSTALLED","FIXED IN","TYPE","VULNERABILITY","SEVERITY"] | join(" | ") | "| " + . + " |"),
(["---","---","---","---","---","---"] | join(" | ") | "| " + . + " |"),
(.matches[]
| "| \(.artifact.name) | \(.artifact.version) | \(.vulnerability.fix.versions[0] // (if .vulnerability.fix.state == "not-fixed" then "" else "(" + .vulnerability.fix.state + ")" end)) | \(.artifact.type) | \(.vulnerability.id) | \(.vulnerability.severity)|")
' >> $GITHUB_STEP_SUMMARY