Merge pull request #3 from kimgoetzke/feature-various

Add vulnerability scans to feature workflow
kimgoetzke · Feb 9, 2023 · 0069c98 · 0069c98
2 parents e7c78c2 + 8234675
commit 0069c98
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 7 deletions.
diff --git a/.github/workflows/basic-ci-feature-workflow.yml b/.github/workflows/basic-ci-feature-workflow.yml
@@ -45,3 +45,20 @@ jobs:
           registry: docker.io
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/${{ secrets.DOCKERHUB_USERNAME }}/${{ secrets.DOCKERHUB_REPOSITORY }}:${{ github.ref_name }}_latest'
+          format: 'json'
+          output: 'trivy-results.json'
+          exit-code: '1'
+          severity: 'CRITICAL'
+        env:
+          TRIVY_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+          TRIVY_PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Upload Trivy results
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy-vulnerability-scan-result
+          path: trivy-results.json
+
diff --git a/README.md b/README.md
@@ -14,9 +14,11 @@ Branches created with a name starting with `feature-` trigger the GitHub Actions
 2. Build application, run all tests and build scan 
 3. Upload Gradle build reports and attach as artifact to action 
 4. Upload Jacoco test coverage reports and attach as artifact to action 
-5. Create Docker image and upload to DockerHub
+5. Create Docker images and upload to DockerHub
+6. Run Trivy vulnerability scan and fail if critical vulnerabilities detected*
+7. Upload vulnerability scan results as artifact to action
 
-Docker images are named automatically: `feature-{name}-v{github.run_number}`.
+A new Docker image `feature-{name}_v{github.run_number}` is created and `feature-{name}_latest` is overwritten.
 
 ### Main/release workflow
 
@@ -26,11 +28,11 @@ Only branches with the `feature-` prefix are permitted to push to main. Changes
 2. Set up Java
 3. Validate Gradle wrapper
 2. Build application, run all tests and build scan
-3. Create Docker image and upload to DockerHub 
+3. Create Docker images and upload to DockerHub 
 4. Create a release on GitHub
 5. Use content of `latest_release_notes.txt` as release notes body
 
-Docker images are named automatically: `main-v{github.run_number}`. Release is named `v{github.run_number}`.
+A new Docker image `main_v{github.run_number}` is created and `main_latest` is overwritten. Release is named `v{github.run_number}`.
 
 ### Branch protection
 ![ci-diagram.svg](ci-diagram.svg)
diff --git a/latest-release-notes.txt b/latest-release-notes.txt
@@ -1,3 +1 @@
-- Renamed workflow steps to allow easier selection to make branch protection rules easier to set up
-- Updated README.md
-- Added branch protection
+- Added Trivy vulnerability scans to feature workflow