Closed ericwb closed 4 years ago
For a project I'm comparing several SBOM tools with each other. We're comparing tern
with anchore
, blackduck
, whitesource
, aws ecr
, google cloud
, and so on.
I've created a GitHub Action workflow for Tern.
https://github.com/JeroenKnoops/scan-docker-image/blob/master/.github/workflows/scan-tern.yml
I can create a github action for this so you can put it in the marketplace. Please let me know if you want me to create a PR here.
btw. We really like the output of tern
. :)
@JeroenKnoops thanks for the feedback! We'd really appreciate a GitHub action. Just note that currently, Tern needs a Linux host to run. I am not sure if that is a blocker with creating a GitHub action.
I've started the development, will finish it hopefully this week. Will try to make most of the configuration available in the action.
Progress can be found here: https://github.com/philips-labs/tern-action Example of using it: https://github.com/JeroenKnoops/tern-action-examples
With tern version 2.2.0 the action works great. I've released it here: https://github.com/marketplace/actions/tern-action
Source is here: https://github.com/philips-labs/tern-action but you are free to use this as inspiration and recreate it in the tern-tools
organization.
Thank you! I will close this issue then.
Describe the Feature GitHub supports a wide variety of GitHub actions to run various actions, all based on containerized programs. I think Tern could be a good "action" to run as part of a deployment workflow.
https://github.com/marketplace?type=actions
Use Cases Before a container is deployed to DockerHub, could be useful to have an action to run Tern to check the compliance of it.
Implementation Changes Essentially, you just need to write a DockerFile for the action. For example, golangci-lint: https://github.com/actions-contrib/golangci-lint/blob/master/Dockerfile