# This workflow checks out code, performs an Anchore container image # vulnerability and compliance scan, and integrates the results with # GitHub Advanced Security code scanning feature. For more information on # the Anchore scan action usage and parameters, see # https://github.com/anchore/scan-action. For more information on # Anchore container image scanning in general, see # https://docs.anchore.com. name: Docker Container Scan (clickhouse-server) env: # Force the stdout and stderr streams to be unbuffered PYTHONUNBUFFERED: 1 "on": pull_request: paths: - docker/server/Dockerfile - .github/workflows/anchore-analysis.yml schedule: - cron: '0 21 * * *' jobs: Anchore-Build-Scan: runs-on: ubuntu-latest steps: - name: Checkout the code uses: actions/checkout@v2 - name: Build the Docker image run: | cd docker/server perl -pi -e 's|=\$version||g' Dockerfile docker build . --file Dockerfile --tag localbuild/testimage:latest - name: Run the local Anchore scan action itself with GitHub Advanced Security code scanning integration enabled uses: anchore/scan-action@v2 id: scan with: image: "localbuild/testimage:latest" acs-report-enable: true - name: Upload Anchore Scan Report uses: github/codeql-action/upload-sarif@v1 with: sarif_file: ${{ steps.scan.outputs.sarif }}