-
Notifications
You must be signed in to change notification settings - Fork 191
58 lines (48 loc) · 1.87 KB
/
trivy-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
name: Vulnerability Scan
on:
schedule:
# run every night at 4:00 AM (UTC)
- cron: '0 4 * * *'
# enable running the workflow manually
workflow_dispatch:
jobs:
scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Set up Maven
uses: stCarolas/[email protected]
with:
maven-version: 3.8.6
- name: Set up JDK
uses: actions/setup-java@v3
with:
distribution: "temurin"
java-version: "17"
cache: "maven"
- name: Create hawkBit container images
run: |
mvn clean install -DskipTests && \
cd hawkbit-runtime/docker/docker_build && \
chmod +x build_all_dev.sh && \
./build_all_dev.sh
- name: Determine most recent Trivy version
run: |
echo "TRIVY_VERSION=$(wget -qO - 'https://api.github.com/repos/aquasecurity/trivy/releases/latest' | \
grep '\"tag_name\":' | sed -E 's/.*\"v([^\"]+)\".*/\1/')" >> $GITHUB_ENV
- name: Install Trivy
run: |
wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz -O - | tar -zxvf -
- name: Scan Docker images
run: |
mkdir -p scans/eclipse/hawkbit
for IMAGE in $(docker image ls --format "{{.Repository}}:{{.Tag}}" "hawkbit/hawkbit-*:latest"); do
echo "Scanning image ${IMAGE} ..."
./trivy image "${IMAGE}" --ignore-unfixed --severity HIGH,CRITICAL --vuln-type library --output "scans/eclipse/$IMAGE.sarif" --format sarif
done
- name: Upload Docker image scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'scans/eclipse/hawkbit'
category: "Container Images"