Run Trivy separately to try to debug what's happening.

ukwa · Nov 16, 2023 · a5f7124 · a5f7124
1 parent dc5b909
commit a5f7124
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 1 deletion.
diff --git a/.github/workflows/push-to-docker-hub.yml b/.github/workflows/push-to-docker-hub.yml
@@ -1,4 +1,4 @@
-name: Build, scan and push to Docker Hub
+name: Build, run checks, and push to Docker Hub
 
 on:
   push:

diff --git a/.github/workflows/run-trivy.yml b/.github/workflows/run-trivy.yml
@@ -0,0 +1,32 @@
+name: Run Checks
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'