From 48fd1423d6ca9be8a94e50a7074c00167b3d5a78 Mon Sep 17 00:00:00 2001 From: Yogesh Ananda Nikam Date: Wed, 18 Sep 2024 10:00:20 +0530 Subject: [PATCH 1/3] Docker scan for vulnerabilities stage should fail if HIGH/CRITICAL vulnerability is found --- .github/workflows/docker.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 184037b5b..561eb9f76 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -41,7 +41,12 @@ jobs: uses: aquasecurity/trivy-action@0.24.0 with: image-ref: znsio/specmatic:${{ steps.read_version.outputs.VERSION }} - continue-on-error: true + severity: HIGH,CRITICAL,MEDIUM,LOW,UNKNOWN + exit-code: '1' + ignore-unfixed: true + severity-threshold: HIGH + format: table + vulnerability-type: os,library - name: Push Docker Image run: docker push znsio/specmatic:${{ steps.read_version.outputs.VERSION }} From 947c953773609822f0b89ebb2690405b2d52e845 Mon Sep 17 00:00:00 2001 From: Yogesh Nikam <60032699+yogeshnikam671@users.noreply.github.com> Date: Wed, 18 Sep 2024 10:56:59 +0530 Subject: [PATCH 2/3] Update docker.yml to scan only HIGH and CRITICAL vulnerabilities --- .github/workflows/docker.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 561eb9f76..a8b0f5998 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -41,10 +41,9 @@ jobs: uses: aquasecurity/trivy-action@0.24.0 with: image-ref: znsio/specmatic:${{ steps.read_version.outputs.VERSION }} - severity: HIGH,CRITICAL,MEDIUM,LOW,UNKNOWN + severity: HIGH,CRITICAL exit-code: '1' ignore-unfixed: true - severity-threshold: HIGH format: table vulnerability-type: os,library From 6860fead430621220c78009d18128e2220d676ce Mon Sep 17 00:00:00 2001 From: Yogesh Nikam <60032699+yogeshnikam671@users.noreply.github.com> Date: Wed, 18 Sep 2024 15:27:44 +0530 Subject: [PATCH 3/3] Update docker.yml so that it gets automatically triggered once the release.yml workflow is complete --- .github/workflows/docker.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index a8b0f5998..bedb105d3 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -1,6 +1,8 @@ name: Manual Release Build and Docker Image on: + repository_dispatch: + types: [specmatic-core-release] workflow_dispatch: jobs: