Merge pull request #6 from dockersamples/evaluate-scout-policy-breakage

Downgrade app to introduce vulnerabilities (testing CI pipeline)
dockersamples · Dec 19, 2024 · 20a0dae · 20a0dae
2 parents 0a05938 + 1f4dca4
commit 20a0dae
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 4 deletions.
diff --git a/.github/workflows/pipeline-docker-cloud.yaml b/.github/workflows/pipeline-docker-cloud.yaml
@@ -98,6 +98,17 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Set up containerd
+        uses: docker/setup-docker-action@v4
+        with:
+          set-host: true
+          daemon-config: |
+            {
+              "features": {
+                "containerd-snapshotter": true
+              }
+            }
+
       - name: Login to Docker Hub
         uses: docker/login-action@v3
         with:
@@ -128,8 +139,8 @@ jobs:
         with:
           context: .
           platforms: ${{ github.event_name == 'pull_request' && 'linux/amd64' || 'linux/amd64,linux/arm64' }}
-          provenance: ${{ github.event_name != 'pull_request' && 'mode=max' }}
-          sbom: ${{ github.event_name != 'pull_request' && true }}
+          provenance: mode=max
+          sbom: true
           push: ${{ github.event_name != 'pull_request' }}
           load: ${{ github.event_name == 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
@@ -144,6 +155,8 @@ jobs:
           to-env: production
           write-comment: true
           organization: ${{ env.DOCKERHUB_ORG_NAME }}
+          # TODO Update this to include policy once DBC image loading includes attestations
+          exit-on: vulnerability
 
   stage-deploy:
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'

diff --git a/.github/workflows/pipeline-gha.yaml b/.github/workflows/pipeline-gha.yaml
@@ -92,6 +92,17 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
 
+      - name: Set up containerd
+        uses: docker/setup-docker-action@v4
+        with:
+          set-host: true
+          daemon-config: |
+            {
+              "features": {
+                "containerd-snapshotter": true
+              }
+            }
+
       - name: Login to Docker Hub
         uses: docker/login-action@v3
         with:
@@ -118,8 +129,8 @@ jobs:
         with:
           context: .
           platforms: ${{ github.event_name == 'pull_request' && 'linux/amd64' || 'linux/amd64,linux/arm64' }}
-          provenance: ${{ github.event_name != 'pull_request' && 'mode=max' }}
-          sbom: ${{ github.event_name != 'pull_request' && true }}
+          provenance: mode=max
+          sbom: true
           push: ${{ github.event_name != 'pull_request' }}
           load: ${{ github.event_name == 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
@@ -134,6 +145,8 @@ jobs:
           to-env: production
           write-comment: false # Disabling this one since this is a duplicate workflow
           organization: ${{ env.DOCKERHUB_ORG_NAME }}
+          # TODO Update this to include policy once DBC image loading includes attestations
+          exit-on: vulnerability
 
   stage-deploy:
     if: github.event_name == 'push' && github.ref == 'refs/heads/main'