This GitHub Action performs security scanning on your codebase using Syft and Grype. It generates a Software Bill of Materials (SBOM) and then runs a security vulnerability scan against it.
- Generates a Software Bill of Materials (SBOM) using Syft
- Performs security vulnerability scanning using Grype
- Fails the workflow if high-severity vulnerabilities are found
- Only reports vulnerabilities that have available fixes
- name: Security Scan
uses: orangitfi/platform-tooling/.github/actions/security-scan-code@<current-sha>
with:
directory: '.' # The directory to scan| Input | Required | Description |
|---|---|---|
directory |
Yes | The directory path to scan for security vulnerabilities |
- Checks out your repository code
- Generates an SBOM (Software Bill of Materials) using Syft in JSON format
- Runs Grype to scan for security vulnerabilities:
- Only reports vulnerabilities that have available fixes (
--only-fixed) - Fails the workflow if high-severity vulnerabilities are found (
--fail-on high)
- Only reports vulnerabilities that have available fixes (
This action requires Syft and Grype to be available in the GitHub Actions runner environment. Make sure these tools are installed before running the action.
- Generates
sbom.jsonin the specified directory - Provides security scan results in the GitHub Actions logs
- Fails the workflow if high-severity vulnerabilities are found