Update build.yml

ucsd-ets · Feb 23, 2024 · 00b26e9 · 00b26e9
1 parent 482fe15
commit 00b26e9
Showing 1 changed file with 16 additions and 0 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -72,3 +72,19 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Scan for vulnerabilities
+        uses: crazy-max/ghaction-container-scan@v3
+        with:
+          image: ${{ steps.meta.outputs.tags }}
+
+      - name: Filter out non-critical vulns
+        run: |
+          mv /tmp/container-scan*/ /tmp/container-scan/ && cat /tmp/container-scan/result.json | jq '.Results[0].Vulnerabilities[] | select(.Severity=="CRITICAL")' > /tmp/container-scan/critical.json
+      
+      - name: Archive container scan results
+        uses: actions/upload-artifact@v3
+        with:
+          name: container-scan-results
+          path: | 
+            /tmp/container-scan*