Merge pull request #1127 from zama-ai/youben11-patch-8

Scan docker images with trivy
zama-ai · Oct 31, 2024 · 2447acf · 2447acf
2 parents fe12713 + 463c2a1
commit 2447acf
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 4 deletions.
diff --git a/.github/workflows/compiler_publish_docker_images.yml b/.github/workflows/compiler_publish_docker_images.yml
@@ -64,6 +64,16 @@ jobs:
           DOCKER_BUILDKIT=1 docker build --no-cache \
             --label "commit-sha=${{ github.sha }}" -t ${{ matrix.image }} -f ${{ matrix.dockerfile }} .
 
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
+        with:
+          image-ref: '${{ matrix.image }}'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
       - name: Tag and Publish Image
         run: |
           docker image tag ${{ matrix.image }} ${{ matrix.image }}:${{ github.sha }}
@@ -100,11 +110,24 @@ jobs:
         if: contains(steps.changed-files.outputs.modified_files, 'docker/Dockerfile.hpx-env') || contains(steps.changed-files.outputs.modified_files, env.THIS_FILE)
         run: echo "${{ secrets.GHCR_PASSWORD }}" | docker login -u ${{ secrets.GHCR_LOGIN }} --password-stdin ghcr.io
 
-      - name: Build Tag and Publish
+      - name: Build
         if: ${{ steps.login.conclusion != 'skipped' }}
-        run: |
-          docker build -t "${IMAGE}" -f docker/Dockerfile.hpx-env .
-          docker push "${IMAGE}:latest"
+        run: docker build -t "${IMAGE}" -f docker/Dockerfile.hpx-env .
+
+      - name: Run Trivy vulnerability scanner
+        if: ${{ steps.login.conclusion != 'skipped' }}
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
+        with:
+          image-ref: '${{ env.IMAGE }}'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Publish
+        if: ${{ steps.login.conclusion != 'skipped' }}
+        run: docker push "${IMAGE}:latest"
 
   BuildAndPublishCUDADockerImage:
     name: Build & Publish CUDA Docker Image
@@ -149,6 +172,17 @@ jobs:
           docker image tag "${IMAGE}" "${IMAGE}:${{ matrix.tag }}"
           docker push "${IMAGE}:${{ matrix.tag }}"
 
+      - name: Run Trivy vulnerability scanner
+        if: ${{ steps.login.conclusion != 'skipped' }}
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
+        with:
+          image-ref: '${{ env.IMAGE }}'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
       - name: Push Latest Image
         if: ${{ steps.login.conclusion != 'skipped' && matrix.tag == '11-8' }}
         run: docker push "${IMAGE}:latest"
diff --git a/.github/workflows/concrete_python_push_docker_image.yml b/.github/workflows/concrete_python_push_docker_image.yml
@@ -34,6 +34,16 @@ jobs:
           mkdir empty_context
           docker image build -t ${{ env.NAME_TAG }} --build-arg version=${{ env.VERSION }} -f ${{ env.DOCKER_FILE }} empty_context
 
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
+        with:
+          image-ref: '${{ env.NAME_TAG }}'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
       - name: Login to Docker Hub
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with: