Make the scanner to fail always with log4j vulnerability (#48)

e-minguez · web-flow · commit 6f6356f7a11d · 2022-11-25T14:24:31.000+01:00
diff --git a/.github/workflows/build-scan-and-push.yaml b/.github/workflows/build-scan-and-push.yaml
@@ -26,6 +26,7 @@ jobs:
       uses: docker/build-push-action@v3
       with:
         context: ${{ env.DOCKERFILE_CONTEXT }}
+        file: "${{ env.DOCKERFILE_CONTEXT }}Dockerfile.log4j"
         tags: ${{ env.REGISTRY_HOST }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
         load: true
     
@@ -70,5 +71,6 @@ jobs:
       uses: docker/build-push-action@v3
       with:
         context: ${{ env.DOCKERFILE_CONTEXT }}
+        file: "${{ env.DOCKERFILE_CONTEXT }}Dockerfile.log4j"
         push: true
-        tags: ${{ env.REGISTRY_HOST }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
+        tags: ${{ env.REGISTRY_HOST }}/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
diff --git a/github/new-scan-engine/Dockerfile.log4j b/github/new-scan-engine/Dockerfile.log4j
@@ -0,0 +1,3 @@
+FROM alpine:latest
+ADD https://archive.apache.org/dist/logging/log4j/2.14.1/apache-log4j-2.14.1-bin.tar.gz /root
+RUN tar xzvf /root/apache-log4j-2.14.1-bin.tar.gz

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+FROM alpine:latest`
	`2`	`+ADD https://archive.apache.org/dist/logging/log4j/2.14.1/apache-log4j-2.14.1-bin.tar.gz /root`
	`3`	`+RUN tar xzvf /root/apache-log4j-2.14.1-bin.tar.gz`