Skip to content

Scan pmm server and client docker images #1150

Scan pmm server and client docker images

Scan pmm server and client docker images #1150

Workflow file for this run

name: Scan pmm server and client docker images
on:
workflow_dispatch:
inputs:
server_image:
description: "pmm-server docker image"
required: true
type: string
client_image:
description: "pmm-client docker image"
required: true
type: string
sha:
description: "SHA of commit to update status on"
required: true
type: string
jobs:
scan:
runs-on: ubuntu-latest
env:
SHA: ${{ github.event.inputs.sha || github.event.pull_request.head.sha || github.sha }}
strategy:
fail-fast: false
matrix:
include:
- image: ${{ inputs.server_image }}
- image: ${{ inputs.client_image }}
steps:
- name: Communicate action status back to the PR
uses: percona/gh-action-github-status-action@update-node
continue-on-error: true
with:
authToken: ${{ secrets.GITHUB_TOKEN }}
context: "${{ matrix.image }}"
description: "Trivy vulnerability scanning ${{ job.status }}"
state: "pending"
repository: ${{ github.repository }}
target_url: "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
sha: ${{ env.SHA }}
- name: Set report filename
run: |
echo "REPORT=$(echo ${{ matrix.image }} | cut -d'/' -f2 | tr ':' '-')" >> $GITHUB_ENV
- name: Run trivy scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ matrix.image }}
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
output: ${{ env.REPORT }}
- name: Archive trivy scan results
if: always()
uses: actions/upload-artifact@v4
with:
name: ${{ env.REPORT }}
path: ${{ env.REPORT }}
retention-days: 7
- name: Communicate action status back to the PR
if: always()
uses: percona/gh-action-github-status-action@update-node
continue-on-error: true
with:
authToken: ${{ secrets.GITHUB_TOKEN }}
context: "${{ matrix.image }}"
description: "Trivy vulnerability scanning ${{ job.status }}"
state: ${{ job.status }}
repository: ${{ github.repository }}
target_url: "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
sha: ${{ env.SHA }}