⛓️💥 [BRMO-389] Verwijder BRK-1 (materialized) views ⛓️💥 #1131
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: 'Trivy Security Scan' | |
on: # use pull request so this workflow dos not fail when triggered by dependabot PR's | |
pull_request: | |
schedule: | |
- cron: "17 23 * * 0" | |
workflow_dispatch: | |
env: | |
MAVEN_VERSION: '3.9.9' | |
jobs: | |
build: | |
name: "Trivy Scan ${{ matrix.docker-image }}" | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
java: [ 17 ] | |
java-dist: [ 'temurin' ] | |
docker-image: | |
- 'brmo-bag2-loader' | |
- 'brmo-bgt-loader' | |
- 'brmo-service' | |
- 'brmo-service-db' | |
steps: | |
- uses: actions/checkout@v4 | |
- name: 'Set up JDK' | |
uses: actions/setup-java@v4 | |
with: | |
distribution: "${{ matrix.java-dist }}" | |
java-version: ${{ matrix.java }} | |
cache: 'maven' | |
- name: 'Set up Maven' | |
uses: stCarolas/setup-maven@v5 | |
with: | |
maven-version: ${{ env.MAVEN_VERSION }} | |
- name: "Build Java ${{ matrix.java }}" | |
run: mvn -U package -Dmaven.test.skip=true -Ddocker.skip=true -Dtest.onlyITs= -DskipQA=true -Dmaven.javadoc.skip=true | |
- name: 'Trivy Cache' | |
uses: yogeshlonkar/trivy-cache-action@v0.1.10 | |
with: | |
gh-token: ${{ secrets.GITHUB_TOKEN }} | |
- name: "Run Trivy vulnerability scanner on ${{ matrix.docker-image }}" | |
uses: aquasecurity/trivy-action@0.29.0 | |
# docker run --rm -v trivy_cache:/root/.cache/ aquasec/trivy image ghcr.io/b3partners/brmo-service:snapshot | |
with: | |
image-ref: "ghcr.io/b3partners/${{ matrix.docker-image }}:snapshot" | |
format: 'sarif' | |
output: "${{ matrix.docker-image }}-trivy-results.sarif" | |
severity: 'HIGH,CRITICAL' | |
limit-severities-for-sarif: true | |
cache-dir: .trivy | |
- name: 'Check file existence' | |
id: check_files | |
uses: andstor/file-existence-action@v3 | |
with: | |
files: "${{ matrix.docker-image }}-trivy-results.sarif" | |
- name: 'Upload Trivy scan results to GitHub Security tab' | |
uses: github/codeql-action/upload-sarif@v3 | |
if: steps.check_files.outputs.files_exists == 'true' | |
with: | |
sarif_file: "${{ matrix.docker-image }}-trivy-results.sarif" | |
- name: 'Upload sarif as a Build Artifact' | |
uses: actions/upload-artifact@v4 | |
if: steps.check_files.outputs.files_exists == 'true' | |
with: | |
name: "sarif-results.${{ matrix.docker-image }}" | |
path: "${{ matrix.docker-image }}-trivy-results.sarif" | |
retention-days: 1 |