new workflow

.github/workflows/docker.yml

@@ -72,9 +72,11 @@ jobs:
           LOCAL_SEMVER_PATCH=$(awk -F. '{ print $3 }' <<< ${json_semver_version})
           LOCAL_SEMVER_PREFIX=""
           LOCAL_SEMVER_SUFFIX=""
+          LOCAL_SEMVER_RC=""
           LOCAL_TAGS="${LOCAL_IMAGE}:${LOCAL_SHA}"
           if [ ! -z ${input_semverprefix} ]; then LOCAL_SEMVER_PREFIX="${input_semverprefix}-"; fi
           if [ ! -z ${input_semversuffix} ]; then LOCAL_SEMVER_SUFFIX="-${input_semversuffix}"; fi
+          if [ ! -z ${json_semver_rc} ]; then LOCAL_SEMVER_RC="-${json_semver_rc}"; fi
           if [ ! -z ${LOCAL_SEMVER_MAJOR} ]; then LOCAL_TAGS="${LOCAL_TAGS},${LOCAL_IMAGE}:${LOCAL_SEMVER_PREFIX}${LOCAL_SEMVER_MAJOR}${LOCAL_SEMVER_SUFFIX}"; fi
           if [ ! -z ${LOCAL_SEMVER_MINOR} ]; then LOCAL_TAGS="${LOCAL_TAGS},${LOCAL_IMAGE}:${LOCAL_SEMVER_PREFIX}${LOCAL_SEMVER_MAJOR}.${LOCAL_SEMVER_MINOR}${LOCAL_SEMVER_SUFFIX}"; fi
           if [ ! -z ${LOCAL_SEMVER_PATCH} ]; then LOCAL_TAGS="${LOCAL_TAGS},${LOCAL_IMAGE}:${LOCAL_SEMVER_PREFIX}${LOCAL_SEMVER_MAJOR}.${LOCAL_SEMVER_MINOR}.${LOCAL_SEMVER_PATCH}${LOCAL_SEMVER_SUFFIX}"; fi
@@ -87,10 +89,10 @@ jobs:
           if [ ! -z ${input_uid} ]; then echo "IMAGE_UID=${input_uid}" >> $GITHUB_ENV; else echo "IMAGE_UID=${json_uid:-1000}" >> $GITHUB_ENV; fi
           if [ ! -z ${input_gid} ]; then echo "IMAGE_GID=${input_gid}" >> $GITHUB_ENV; else echo "IMAGE_GID=${json_gid:-1000}" >> $GITHUB_ENV; fi
 
-          : # set prefix or suffix globally
+          : # set rc, prefix or suffix globally
           echo "IMAGE_SEMVER_PREFIX=${LOCAL_SEMVER_PREFIX}" >> $GITHUB_ENV
           echo "IMAGE_SEMVER_SUFFIX=${LOCAL_SEMVER_SUFFIX}" >> $GITHUB_ENV
-
+          echo "IMAGE_VERSION_RC=${LOCAL_SEMVER_RC}" >> $GITHUB_ENV
 
       - name: docker / login to hub
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
@@ -104,7 +106,8 @@ jobs:
       - name: docker / setup buildx
         uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5
 
-      - name: grype / build & push
+      - name: grype / build & push & tag
+        id: grype-tag
         uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d
         with:
           context: .
@@ -122,23 +125,31 @@ jobs:
             APP_GID=${{ env.IMAGE_GID }}
             APP_VERSION_PREFIX=${{ env.IMAGE_SEMVER_PREFIX }}
             APP_VERSION_SUFFIX=${{ env.IMAGE_SEMVER_SUFFIX }}
+            APP_VERSION_RC=${{ env.IMAGE_VERSION_RC }}
             APP_NO_CACHE=$(date +%s)
           tags: |
             ${{ env.IMAGE }}:${{ env.IMAGE_SEMVER_PREFIX }}grype${{ env.IMAGE_SEMVER_SUFFIX }}
 
       - name: grype / scan
-        id: scan
+        id: grype-scan
         uses: anchore/scan-action@abae793926ec39a78ab18002bc7fc45bbbd94342
         with:
           image: ${{ env.IMAGE }}:${{ env.IMAGE_SEMVER_PREFIX }}grype${{ env.IMAGE_SEMVER_SUFFIX }}
           severity-cutoff: ${{ env.WORKFLOW_GRYPE_SEVERITY_CUTOFF }}
+          by-cve: true
+          output-format: 'sarif'
+          output-file: ${{ runner.temp }}/_github_home/grype.sarif
 
-      - name: grype / report / print
+      - name: grype / report / sarif to markdown
+        id: sarif-to-md
         if: success() || failure()
-        run: cat ${{ steps.scan.outputs.sarif }}
+        continue-on-error: true
+        uses: 11notes/action-sarif-to-markdown@b2656b3171cb3cddc50d50b2f86921cb2e6aeab1
+        with:
+          sarif_file: grype.sarif
 
       - name: grype / delete tag
-        if: success() || failure()
+        if: steps.grype-tag.outcome == 'success'
         run: |
           curl --request DELETE \
             --url https://hub.docker.com/v2/repositories/${{ env.IMAGE }}/tags/${{ env.IMAGE_SEMVER_PREFIX }}grype${{ env.IMAGE_SEMVER_SUFFIX }}/ \
@@ -147,9 +158,11 @@ jobs:
             --fail
 
       - name: grype / report / upload
+        if: steps.grype-scan.outcome == 'success'
         uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169
         with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}
+          sarif_file: ${{ steps.grype-scan.outputs.sarif }}
+          category: grype
 
       - name: docker / build & push
         uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d
@@ -171,6 +184,7 @@ jobs:
             APP_GID=${{ env.IMAGE_GID }}
             APP_VERSION_PREFIX=${{ env.IMAGE_SEMVER_PREFIX }}
             APP_VERSION_SUFFIX=${{ env.IMAGE_SEMVER_SUFFIX }}
+            APP_VERSION_RC=${{ env.IMAGE_VERSION_RC }}
             APP_NO_CACHE=$(date +%s)
           tags: |
             ${{ env.IMAGE_TAGS }}