feat: Add SBOM generation and vulnerability scanning in workflows (#39)

* feat: generate container sbom during release

* No need to publish separately, it's automatic

* feat: Add regular vulnerability scanning

* syntax

* specify container file

* vital missing step

* Display grype output in the log in table format

.github/workflows/publish-release.yml

@@ -113,5 +113,11 @@ jobs:
             ghcr.io/${{ github.repository }}:${{ env.STREAM_SPROUT_VER }}-alpine
             ghcr.io/${{ github.repository }}:${{ github.sha }}-alpine
           platforms: linux/amd64, linux/arm64
+      - name: "Generate SBOM"
+        uses: anchore/sbom-action@v0
+        with:
+          image: ghcr.io/${{ github.repository }}:latest-alpine
+          registry-username: ${{ github.actor }}
+          registry-password: ${{ secrets.GITHUB_TOKEN }}
       - name: Logout from Container Registry
         run: docker logout ghcr.io

.github/workflows/scan-container.yaml

@@ -0,0 +1,35 @@
+name: "Vulnerability 🐞 scan 🔍 container"
+
+on:
+  schedule:
+    - cron: "0 10 * * 2"
+  workflow_dispatch:
+
+jobs:
+  vulnerability-scan:
+    name: "Build and scan"
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: build local container
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          file: ./Containerfile
+          tags: localbuild/testimage:latest
+          push: false
+          load: true
+
+      - name: Scan image
+        uses: anchore/scan-action@v3
+        with:
+          image: "localbuild/testimage:latest"
+          output-format: table
+
+      - name: Inspect action report
+        run: cat ${{ steps.scan.outputs.table }}