From 2eef34aa9c976ea82c54d0b1d792187785438b97 Mon Sep 17 00:00:00 2001 From: Stevan Koncar Date: Wed, 15 Nov 2023 14:20:26 +0100 Subject: [PATCH] [PLAY-445] Add trivy scans (#287) Add trivy scans as part of CI/CD --- .github/workflows/deploy.yaml | 34 +++++++++++++++++++++++++++++++--- .github/workflows/release.yaml | 2 +- 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 45985302..a5e7ac29 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -1,6 +1,13 @@ name: deploy -on: push +on: + push: + tags: + - "*" + branches: + - "*" + schedule: + - cron: "0 0 * * 1" jobs: build: @@ -102,13 +109,34 @@ jobs: run: | cli_tests/job.sh cli_tests/app.sh + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Login to Docker Hub - uses: docker/login-action@v1 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} + - name: Push to Docker Hub uses: docker/build-push-action@v2 with: tags: shipasoftware/ketch:${{github.sha}} - push: true \ No newline at end of file + push: true + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@f78e9ecf42a1271402d4f484518b9313235990e1 + with: + image-ref: shipasoftware/ketch:${{ github.sha }} + format: "sarif" + output: "trivy-results.sarif" + exit-code: "1" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: "trivy-results.sarif" \ No newline at end of file diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 78795495..02c35301 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -90,4 +90,4 @@ jobs: file: bin/* tag: ${{ github.ref }} overwrite: true - file_glob: true \ No newline at end of file + file_glob: true