docker-image-scan.yml

name: docker-image-scan
on:
  workflow_dispatch:

jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v3
      - id: trivy-db
        name: Check trivy db sha
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          endpoint='/orgs/aquasecurity/packages/container/trivy-db/versions'
          headers='Accept: application/vnd.github+json'
          jqFilter='.[] | select(.metadata.container.tags[] | contains("latest")) | .name | sub("sha256:";"")'
          sha=$(gh api -H "${headers}" "${endpoint}" | jq --raw-output "${jqFilter}")
          echo "Trivy DB sha256:${sha}"
          echo "::set-output name=sha::${sha}"

      - id: ignore-policies
        name: Ignore some policies
        run: |
          cat > .trivyignore << EOL
          # Ignore gosu issue. They say they are not affected. Issue will be removed as soon
          # as wiremock image updates to a newer gosu verion, which removed runc.
          CVE-2023-27561
          EOL
      - uses: actions/cache@v3
        with:
          path: .trivy
          key: ${{ runner.os }}-trivy-db-${{ steps.trivy-db.outputs.sha }}
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/holomekc/wiremock-gui'
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'
          hide-progress: true
          cache-dir: .trivy
      - name: Fix .trivy permissions
        run: sudo chown -R $(stat . -c %u:%g) .trivy