Skip to content

Commit 64fab69

Browse files
committed
build(compliance): add vulnerability scanning at release time and vulnerabilities verification
Signed-off-by: Victoria <kaysa.vps@gmail.com>
1 parent 3f09320 commit 64fab69

2 files changed

Lines changed: 10 additions & 0 deletions

File tree

.github/workflows/contracts/chainloop-chainloop-github-release.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,3 +14,6 @@ spec:
1414
- ref: slsa-checks
1515
with:
1616
runner: GITHUB_ACTION
17+
- ref: vulnerability-management
18+
with:
19+
severity: "HIGH"

.github/workflows/release.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -93,6 +93,9 @@ jobs:
9393
# Install Syft
9494
wget --no-verbose https://raw.githubusercontent.com/anchore/syft/c43f4fb416c34c1c4b3997373689d8d4c0fb9b36/install.sh -O - | sh -s -- -b /usr/local/bin
9595
96+
- name: Install Grype
97+
run: curl -sSfL https://raw.githubusercontent.com/anchore/grype/7b7d5be174d392ded78fd45d6cfaff4b7610d23b/install.sh | sh -s -- -b /usr/local/bin
98+
9699
- name: Run GoReleaser
97100
id: release
98101
uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757 # v3.2.0
@@ -149,6 +152,10 @@ jobs:
149152
150153
# Upload the SBOM to the release
151154
gh release upload ${{ github.ref_name }} /tmp/sbom-$material_name.cyclonedx.json --clobber
155+
156+
# Run Grype vulnerability scan and attest result
157+
grype --only-fixed -o sarif --file ./vuln-${container_name}.json $entry
158+
chainloop attestation add --name ${container_name}-vulnerability-report --value ./vuln-${container_name}.json --attestation-id ${{ env.ATTESTATION_ID }}
152159
fi
153160
done
154161

0 commit comments

Comments
 (0)