Skip to content

[Analyse] Trivy

[Analyse] Trivy #20

Workflow file for this run

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: trivy
on:
push:
branches: ["CHANGEME"]
# pull_request:
# # The branches below must be a subset of the branches above
# branches: [ "main" ]
schedule:
- cron: "0 3 * * 0" # 3am every sunday
permissions:
contents: read
jobs:
build:
permissions:
packages: write
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Build
runs-on: "ubuntu-20.04"
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Login to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v1
- name: Build image
uses: docker/build-push-action@v4
env:
GITHUB_SHA: ${{ github.sha }}
VERSION: NO_VERSION
ENV_PROFILE: "prod"
with:
context: .
builder: ${{ steps.buildx.outputs.name }}
file: infra/docker/app/Dockerfile
push: true
tags: |
ghcr.io/mtes-mct/rapportnav2/rapportnav-app:${{ github.sha }}
build-args: |
VERSION=${{ env.VERSION }}
ENV_PROFILE=${{ env.ENV_PROFILE }}
GITHUB_SHA=${{ github.sha }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: "ghcr.io/mtes-mct/rapportnav2/rapportnav-app:${{ github.sha }}"
format: sarif
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results.sarif"