From 083e0a5be4cff05473acc2598b04b4cd976f4c11 Mon Sep 17 00:00:00 2001 From: Hubert Siwik Date: Wed, 13 Nov 2024 10:42:50 +0100 Subject: [PATCH] feat: Add Trivy scanner to the pipeline Signed-off-by: Hubert Siwik --- .github/workflows/verifyimage.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.github/workflows/verifyimage.yml b/.github/workflows/verifyimage.yml index 8d785e1..9b754ff 100644 --- a/.github/workflows/verifyimage.yml +++ b/.github/workflows/verifyimage.yml @@ -14,6 +14,7 @@ jobs: runs-on: ubuntu-latest outputs: targets: ${{ steps.generate.outputs.targets }} + repo: ${{ steps.metadata.outputs.repo }} steps: - name: Checkout uses: actions/checkout@v4 @@ -25,6 +26,10 @@ jobs: curl -sSL https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/modsecurity.conf-recommended -o modsecurity.conf-recommended echo '${{ env.MODSECURITY_RECOMMENDED }}' > sha256sum.txt sha256sum -c sha256sum.txt + # The environment variable is not accessible in the context of "with" section + - name: Set a repo output + id: metadata + run: echo "repo=${REPO}" >> "$GITHUB_OUTPUT" build: runs-on: ubuntu-latest @@ -60,6 +65,18 @@ jobs: load: true push: false + # In case of TOOMANYREQUESTS the cache mechanism should be considered + - name: Scan ${{ matrix.target }} + uses: aquasecurity/trivy-action@0.27.0 + with: + image-ref: ${{ needs.prepare.outputs.repo }}:${{ matrix.target }} + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + scanners: 'vuln,secret' + - name: Run ${{ matrix.target }} run: | echo "Starting container ${{ matrix.target }}"