-
Notifications
You must be signed in to change notification settings - Fork 16
72 lines (63 loc) · 2.33 KB
/
trivy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
name: 'Trivy Security Scan'
on:
# use pull request so this workflow dos not fail when triggered by dependabot PR's
pull_request:
schedule:
- cron: "17 23 * * 0"
workflow_dispatch:
env:
MAVEN_VERSION: '3.9.9'
jobs:
build:
name: "Trivy Scan ${{ matrix.docker-image }}"
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
java: [ 17 ]
java-dist: [ 'temurin' ]
docker-image:
- 'brmo-bag2-loader'
- 'brmo-bgt-loader'
- 'brmo-service'
- 'brmo-service-db'
steps:
- uses: actions/checkout@v4
- name: 'Set up JDK'
uses: actions/setup-java@v4
with:
distribution: "${{ matrix.java-dist }}"
java-version: ${{ matrix.java }}
cache: 'maven'
- name: 'Set up Maven'
uses: stCarolas/setup-maven@v5
with:
maven-version: ${{ env.MAVEN_VERSION }}
- name: "Build Java ${{ matrix.java }}"
run: mvn -U package -Dmaven.test.skip=true -Ddocker.skip=true -Dtest.onlyITs= -DskipQA=true -Dmaven.javadoc.skip=true
- name: "Run Trivy vulnerability scanner on ${{ matrix.docker-image }}"
uses: aquasecurity/trivy-action@0.24.0
# docker run --rm -v trivy_cache:/root/.cache/ aquasec/trivy image ghcr.io/b3partners/brmo-service:snapshot
with:
image-ref: "ghcr.io/b3partners/${{ matrix.docker-image }}:snapshot"
format: 'sarif'
output: "${{ matrix.docker-image }}-trivy-results.sarif"
severity: 'HIGH,CRITICAL'
limit-severities-for-sarif: true
- name: 'Check file existence'
id: check_files
uses: andstor/file-existence-action@v3
with:
files: "${{ matrix.docker-image }}-trivy-results.sarif"
- name: 'Upload Trivy scan results to GitHub Security tab'
uses: github/codeql-action/upload-sarif@v3
if: steps.check_files.outputs.files_exists == 'true'
with:
sarif_file: "${{ matrix.docker-image }}-trivy-results.sarif"
- name: 'Upload sarif as a Build Artifact'
uses: actions/upload-artifact@v4
if: steps.check_files.outputs.files_exists == 'true'
with:
name: "sarif-results.${{ matrix.docker-image }}"
path: "${{ matrix.docker-image }}-trivy-results.sarif"
retention-days: 1