Add Grype scan

# Conflicts:
#	.github/workflows/build.yml

Author: loicgreffier

.github/workflows/build.yml

@@ -7,6 +7,8 @@ on:
   pull_request:
     branches:
       - 'main'
+  schedule:
+    - cron: '0 5 * * 1'
 
 jobs:
   build:
@@ -51,6 +53,22 @@ jobs:
         with:
           report_paths: '**/target/surefire-reports/TEST-*.xml'
 
+      - name: Grype source code
+        id: grype_source_code
+        uses: anchore/scan-action@v6
+        with:
+          path: .
+          fail-build: true
+          severity-cutoff: high
+          only-fixed: true
+
+      - name: Upload Grype source code report
+        if: always() && steps.grype_source_code.outputs.sarif != ''
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.grype_source_code.outputs.sarif }}
+          category: 'source-code'
+
       - name: Sonar
         if: github.event.pull_request.head.repo.fork == false
         run: mvn verify sonar:sonar

pom.xml

@@ -147,7 +147,7 @@
                 <version>${jib-maven-plugin.version}</version>
                 <configuration>
                     <from>
-                        <image>eclipse-temurin:21_35-jre</image>
+                        <image>eclipse-temurin:21-jre-alpine</image>
                     </from>
                     <to>
                         <image>docker.io/loicgreffier/spring-boot-kafka-quickstarts:${project.artifactId}-${project.version}</image>