Skip to content

[openfl-docker] Remove startup script dependency #822

[openfl-docker] Remove startup script dependency

[openfl-docker] Remove startup script dependency #822

Workflow file for this run

name: Trivy
on:
push:
branches: [ develop ]
pull_request:
jobs:
build:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Build
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Build an image from Dockerfile
run: |
docker build --pull -t docker.io/securefederatedai/openfl:${{ github.sha }} -f openfl-docker/Dockerfile.base .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: 'docker.io/securefederatedai/openfl:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
- name: Install Trivy
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.55.0
- name: Run Trivy code vulnerability scanner (JSON Output)
run: |
trivy --quiet fs --format json --output trivy-code-results.json --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH,MEDIUM,LOW .
- name: Upload Code Vulnerability Scan Results
uses: actions/upload-artifact@v3
with:
name: trivy-code-report-json
path: trivy-code-results.json
- name: Run Trivy vulnerability scanner for Docker image (JSON Output)
uses: aquasecurity/[email protected]
with:
image-ref: 'docker.io/securefederatedai/openfl:${{ github.sha }}'
format: 'json'
output: 'trivy-docker-results.json'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'
- name: Upload Docker Vulnerability Scan
uses: actions/upload-artifact@v3
with:
name: trivy-docker-report-json
path: trivy-docker-results.json
- name: Run Trivy code vulnerability scanner (SPDX-JSON Output)
run: |
trivy --quiet fs --format spdx-json --output trivy-code-spdx-results.json --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH,MEDIUM,LOW .
- name: Upload Code Vulnerability Scan Results
uses: actions/upload-artifact@v3
with:
name: trivy-code-spdx-report-json
path: trivy-code-spdx-results.json
- name: Run Trivy vulnerability scanner for Docker image (SPDX-JSON Output)
uses: aquasecurity/[email protected]
with:
image-ref: 'docker.io/securefederatedai/openfl:${{ github.sha }}'
format: 'spdx-json'
output: 'trivy-docker-spdx-results.json'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'
- name: Upload Docker Vulnerability Scan
uses: actions/upload-artifact@v3
with:
name: trivy-docker-spdx-report-json
path: trivy-docker-spdx-results.json