Skip to content

Trivy Security Scan #1135

Trivy Security Scan

Trivy Security Scan #1135

Workflow file for this run

name: 'Trivy Security Scan'
on: # use pull request so this workflow dos not fail when triggered by dependabot PR's
pull_request:
schedule:
- cron: "17 23 * * 0"
workflow_dispatch:
env:
MAVEN_VERSION: '3.9.9'
jobs:
build:
name: "Trivy Scan ${{ matrix.docker-image }}"
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
java: [ 17 ]
java-dist: [ 'temurin' ]
docker-image:
- 'brmo-bag2-loader'
- 'brmo-bgt-loader'
- 'brmo-service'
- 'brmo-service-db'
steps:
- uses: actions/checkout@v4
- name: 'Set up JDK'
uses: actions/setup-java@v4
with:
distribution: "${{ matrix.java-dist }}"
java-version: ${{ matrix.java }}
cache: 'maven'
- name: 'Set up Maven'
uses: stCarolas/setup-maven@v5
with:
maven-version: ${{ env.MAVEN_VERSION }}
- name: "Build Java ${{ matrix.java }}"
run: mvn -U package -Dmaven.test.skip=true -Ddocker.skip=true -Dtest.onlyITs= -DskipQA=true -Dmaven.javadoc.skip=true
- name: 'Trivy Cache'
uses: yogeshlonkar/trivy-cache-action@v0.1.10
with:
gh-token: ${{ secrets.GITHUB_TOKEN }}
- name: "Run Trivy vulnerability scanner on ${{ matrix.docker-image }}"
uses: aquasecurity/trivy-action@0.29.0
# docker run --rm -v trivy_cache:/root/.cache/ aquasec/trivy image ghcr.io/b3partners/brmo-service:snapshot
with:
image-ref: "ghcr.io/b3partners/${{ matrix.docker-image }}:snapshot"
format: 'sarif'
output: "${{ matrix.docker-image }}-trivy-results.sarif"
severity: 'HIGH,CRITICAL'
limit-severities-for-sarif: true
cache-dir: .trivy
- name: 'Check file existence'
id: check_files
uses: andstor/file-existence-action@v3
with:
files: "${{ matrix.docker-image }}-trivy-results.sarif"
- name: 'Upload Trivy scan results to GitHub Security tab'
uses: github/codeql-action/upload-sarif@v3
if: steps.check_files.outputs.files_exists == 'true'
with:
sarif_file: "${{ matrix.docker-image }}-trivy-results.sarif"
- name: 'Upload sarif as a Build Artifact'
uses: actions/upload-artifact@v4
if: steps.check_files.outputs.files_exists == 'true'
with:
name: "sarif-results.${{ matrix.docker-image }}"
path: "${{ matrix.docker-image }}-trivy-results.sarif"
retention-days: 1