[PLAY-445] Add trivy scans (#287)

Add trivy scans as part of CI/CD
theketchio · Nov 15, 2023 · 2eef34a · 2eef34a
1 parent cfbb772
commit 2eef34a
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 4 deletions.
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
@@ -1,6 +1,13 @@
 name: deploy
 
-on: push
+on:
+  push:
+    tags:
+      - "*"
+    branches:
+      - "*"
+  schedule:
+    - cron: "0 0 * * 1"
 
 jobs:
   build:
@@ -102,13 +109,34 @@ jobs:
         run: |
           cli_tests/job.sh
           cli_tests/app.sh
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       - name: Login to Docker Hub
-        uses: docker/login-action@v1
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
+
       - name: Push to Docker Hub
         uses: docker/build-push-action@v2
         with:
           tags: shipasoftware/ketch:${{github.sha}}
-          push: true
+          push: true
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@f78e9ecf42a1271402d4f484518b9313235990e1
+        with:
+          image-ref: shipasoftware/ketch:${{ github.sha }}
+          format: "sarif"
+          output: "trivy-results.sarif"
+          exit-code: "1"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "trivy-results.sarif"
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -90,4 +90,4 @@ jobs:
           file: bin/*
           tag: ${{ github.ref }}
           overwrite: true
-          file_glob: true
+          file_glob: true