add security scanning

eksrha · eksrha · commit 3d13639bb0e7 · 2022-04-29T19:06:38.000+02:00
diff --git a/.github/workflows/anchore.yml b/.github/workflows/anchore.yml
@@ -0,0 +1,43 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow checks out code, builds an image, performs a container image
+# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security
+# code scanning feature.  For more information on the Anchore scan action usage
+# and parameters, see https://github.com/anchore/scan-action. For more
+# information on Anchore's container image scanning tool Grype, see
+# https://github.com/anchore/grype
+name: Anchore Container Scan
+
+on:
+  push:
+    branches: [ main ]
+  schedule:
+    - cron: '45 5 * * 1'
+
+permissions:
+  contents: read
+
+jobs:
+  Anchore-Build-Scan:
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout the code
+      uses: actions/checkout@v3
+
+    - name: Scan current project
+      id: scan
+      uses: anchore/scan-action@v3
+      with:
+        path: "."
+        acs-report-enable: true
+
+    - name: Upload Anchore Scan Report
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: ${{ steps.scan.outputs.sarif }}
diff --git a/README.md b/README.md
@@ -1,22 +1,24 @@
-# github-runner-base
+[![Create Release](https://github.com/fullstack-devops/github-actions-runner/actions/workflows/create-release.yml/badge.svg)](https://github.com/fullstack-devops/github-actions-runner/actions/workflows/create-release.yml)
+
+# GitHub Actions Custom Runner
 Container images with Github Actions Runner. Different flavored images with preinstalled tools and software for builds with limited internet access and non root privileges.
 
 Ideal for building software in enterprise environments of large organizations that often restrict internet access.
 Software builds can be built there using a [Nexus Repository](https://de.sonatype.com/products/repository-oss) or [JFrog Artifactory](https://jfrog.com/de/artifactory/)
 
 Support: If you need help or a feature just open an issue!
 
-Package / Images: ghcr.io/fullstack-devops/github-actions-runner
+Package / Images: `ghcr.io/fullstack-devops/github-actions-runner`
 
 Available Tags:
-| Name (tag)              | Installed Tools/ Software                                                                                 | Description                                                                                                                      |
-|-------------------------|-----------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------|
-| `latest-base`           | libffi-dev, libicu-dev, build-essential, libssl-dev, ca-certificates, jq, sed, grep, git, curl, wget, zip | Base runner with nothing fancy installed <br> [Dockerfile](images/base/Dockerfile)                                               |
-| `latest-kaniko-sidecar` | kaniko                                                                                                    | Sidecar used by other runner images to build containers without root privileges                                                               |
-| `latest-ansible-k8s`    | base-image + ansible, helm, kubectl, skopeo                                                                       | Runner specialized for automated k8s deployments via ansible <br> For more Details see [Dockerfile](images/ansible-k8s/Dockerfile)            |
-| `latest-fullstacked`    | base-image + maven, openjdk-11, nodejs, go, yarn, angular/cli, helm                                       | Runner with a bunch of tools to build your hole application<br> For more Details see [Dockerfile](images/fullstacked/Dockerfile) |
-
-> Hint: `latest can be replaced with an spezfic release version for more stability`
+| Name (tag)              | Installed Tools/ Software                                                                                 | Description                                                                                                                        |
+|-------------------------|-----------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------|
+| `latest-base`           | libffi-dev, libicu-dev, build-essential, libssl-dev, ca-certificates, jq, sed, grep, git, curl, wget, zip | Base runner with nothing fancy installed <br> [Dockerfile](images/base/Dockerfile)                                                 |
+| `latest-kaniko-sidecar` | kaniko                                                                                                    | Sidecar used by other runner images to build containers without root privileges                                                    |
+| `latest-ansible-k8s`    | base-image + ansible, helm, kubectl, skopeo                                                               | Runner specialized for automated k8s deployments via ansible <br> For more Details see [Dockerfile](images/ansible-k8s/Dockerfile) |
+| `latest-fullstacked`    | base-image + maven, openjdk-11, nodejs, go, yarn, angular/cli, helm                                       | Runner with a bunch of tools to build your hole application<br> For more Details see [Dockerfile](images/fullstacked/Dockerfile)   |
+
+> Hint: `latest` can be replaced with an specific release version for more stability in your environment.
 
 ---
 
