Include vulnerability scan in the docker build step

ba-st · Apr 18, 2024 · 2c6a6bf · 2c6a6bf
1 parent 2a755be
commit 2c6a6bf
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 39 deletions.
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -12,6 +12,9 @@ on:
 jobs:
   build_and_publish:
     name: Build and Publish Docker images
+    permissions:
+      contents: read
+      security-events: write
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -108,3 +111,19 @@ jobs:
           tags: ${{ steps.docker_meta_runtime_gem.outputs.tags }}
           labels: ${{ steps.docker_meta_runtime_gem.outputs.labels }}
           secrets: GIT_AUTH_TOKEN=${{ secrets.DOCKER_REGISTRY_TOKEN }}
+
+      # Scan for vulnerabilities
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ghcr.io/${{ github.repository_owner }}/gs64:${{ github.sha }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          limit-severities-for-sarif: true
+          ignore-unfixed: true
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml