CODEWITHSUNDEEP
securitycontainersgithub-actions
Fabrice Jammes
Fabrice Jammes

Reputation: 3205

Create a file in GitHub action

Inside Github Action I'm using Anchore+grype to scan a container image, using the job below:

name: "CI"
on:
  push:
  pull_request:
    branches:
      - main
jobs:
  image-analysis:
    name: Analyze image
    runs-on: ubuntu-18.04
    needs: build
    steps:
      - name: Scan operator image
        uses: anchore/scan-action@v3
        id: scan
        with:
          image: "qserv/qserv-operator:2022.1.1-rc1"
          acs-report-enable: true

In order to ignore a false-positive during image scan, I want to create the file $HOME/.grype.yaml (see content below) before launching the image scan:

ignore:

  # False positive, see https://github.com/anchore/grype/issues/558
  - vulnerability: CVE-2015-5237
    fix-state: unknown
    package:
      name: google.golang.org/protobuf
      version: v1.26.0
      type: go-module
      location: "/manager"

Could you please show me how to create this file inside Github Action?

Upvotes: 2

Views: 6594

Answers (2)

Fabrice Jammes
Fabrice Jammes

Reputation: 3205

This one works and has been tested successfully on Github Actions:

name: "CI"
on:
  push:
  pull_request:
    branches:
      - main
jobs:
  image-analysis:
    name: Analyze image
    runs-on: ubuntu-18.04
    permissions:
      security-events: write
    needs: build
    steps:
      - name: Create grype configuration
        run: |
          cat <<EOF > $HOME/.grype.yaml
          ignore:
            # False positive, see https://github.com/anchore/grype/issues/558
            - vulnerability: CVE-2015-5237
              fix-state: unknown
              package:
                name: google.golang.org/protobuf
                version: v1.26.0
                type: go-module
                location: "/manager"
          EOF
      - name: Scan operator image
        uses: anchore/scan-action@v3
        id: scan
        with:
          image: ""qserv/qserv-operator:2022.1.1-rc1""
          acs-report-enable: true
          fail-build: false

Upvotes: 2

vsr
vsr

Reputation: 1127

you could do something as simple as creating the file and then writing to it like this:

    - name: Create grype.yaml
      run: |
           touch grype.yaml
           echo "
           ignore:
               # False positive, see https://github.com/anchore/grype/issues/558
               - vulnerability: CVE-2015-5237
               fix-state: unknown
               package:
                 name: google.golang.org/protobuf
                 version: v1.26.0
                 type: go-module
                 location: "/manager"" > ~/grype.yaml

Upvotes: 3

Related Questions