.github/workflows/scans.yml

name: Anchore-Grype Security Scans

on:
  push:
    branches: ["main"]
  schedule:
    # Run this against the default branch every Monday at 5:30AM
    - cron: "30 5 * * 2"

permissions: write-all
jobs:
  scan:
    runs-on: ubuntu-latest
    env:
      DOCKER_IMAGE: ortussolutions/boxlang
    strategy:
      matrix:
        include:
          - BUILD_IMAGE_DOCKERFILE: builds/base/JDK21.Dockerfile
            BUILD_IMAGE_TAG: cli
          - BUILD_IMAGE_DOCKERFILE: builds/base/JDK21.Web.Dockerfile
            BUILD_IMAGE_TAG: miniserver

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Set up QEMU
        uses: docker/setup-qemu-action@master
        with:
          platforms: all

      - name: Set up Docker Buildx
        id: buildx
        uses: docker/setup-buildx-action@master

      - name: Build local container
        uses: docker/build-push-action@v2
        env:
          DOCKER_BUILDKIT: 1
        with:
          context: .
          file: ${{ matrix.BUILD_IMAGE_DOCKERFILE }}
          build-args: |
            BUILDKIT_INLINE_CACHE=1
          push: false
          load: true
          tags: ${{ env.DOCKER_IMAGE }}:${{ matrix.BUILD_IMAGE_TAG }}

      - name: Scan image
        uses: anchore/scan-action@v3
        id: imagescan
        with:
          image: ${{ env.DOCKER_IMAGE }}:${{ matrix.BUILD_IMAGE_TAG }}
          acs-report-enable: "true"
          fail-build: false

      - name: Upload Anchore Report
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: ${{ steps.imagescan.outputs.sarif }}
          category: ${{ matrix.BUILD_IMAGE_TAG }}