Consolidated scanning (#3832)

* Consolidated security scanning * Add quality scan * Version bumps * Add container scanning * Check out repo for container scan * Build need and dependent outputs * Incremental SAST * Sonar fixes * Underscore * Inherit secrets * Qualify Docker image name outputs * Try a login * Remove build modifications as this doesn't work with a matrix * Move container scanning closer to tbe Docker steps for better management
2026-01-05 10:03:23 +00:00 · 2024-02-23 13:47:23 -05:00
parent 6d089d3c26
commit 96d0ae9cf7
2 changed files with 81 additions and 6 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -119,6 +119,8 @@ jobs:
  build-docker:
    name: Build Docker images
    runs-on: ubuntu-22.04
+    permissions:
+      security-events: write
    needs: build-artifacts
    strategy:
      fail-fast: false
@@ -173,7 +175,7 @@ jobs:
      - name: Check out repo
        uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0

-      - name: Check Branch to Publish
+      - name: Check branch to publish
        env:
          PUBLISH_BRANCHES: "main,rc,hotfix-rc"
        id: publish-branch-check
@@ -192,7 +194,7 @@ jobs:
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

-      - name: Login to PROD ACR
+      - name: Log in to ACR - production subscription
        run: az acr login -n bitwardenprod

      - name: Log in to Azure - CI subscription
@@ -200,7 +202,7 @@ jobs:
        with:
          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

-      - name: Retrieve github PAT secrets
+      - name: Retrieve GitHub PAT secrets
        id: retrieve-secret-pat
        uses: bitwarden/gh-actions/get-keyvault-secrets@main
        with:
@@ -270,6 +272,19 @@ jobs:
          secrets: |
            "GH_PAT=${{ steps.retrieve-secret-pat.outputs.github-pat-bitwarden-devops-bot-repo-scope }}"

+      - name: Scan Docker image
+        id: container-scan
+        uses: anchore/scan-action@3343887d815d7b07465f6fdcd395bd66508d486a # v3.6.4
+        with:
+          image: ${{ steps.image-names.outputs.names }}
+          fail-build: false
+          output-format: sarif
+
+      - name: Upload Grype results to GitHub
+        uses: github/codeql-action/upload-sarif@b7bf0a3ed3ecfa44160715d7c442788f65f0f923 # v3.23.2
+        with:
+          sarif_file: ${{ steps.container-scan.outputs.sarif }}
+
  upload:
    name: Upload
    runs-on: ubuntu-22.04
@@ -286,7 +301,7 @@ jobs:
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

-      - name: Login to PROD ACR
+      - name: Log in to ACR - production subscription
        run: az acr login -n $_AZ_REGISTRY --only-show-errors

      - name: Make Docker stubs
@@ -453,7 +468,7 @@ jobs:
        with:
          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

-      - name: Retrieve github PAT secrets
+      - name: Retrieve GitHub PAT secrets
        id: retrieve-secret-pat
        uses: bitwarden/gh-actions/get-keyvault-secrets@main
        with:
@@ -486,7 +501,7 @@ jobs:
        with:
          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

-      - name: Retrieve github PAT secrets
+      - name: Retrieve GitHub PAT secrets
        id: retrieve-secret-pat
        uses: bitwarden/gh-actions/get-keyvault-secrets@main
        with: