Skip to content

Commit

Permalink
docker-image-scan.yml aktualisieren
Browse files Browse the repository at this point in the history
  • Loading branch information
@holomekc
holomekc authored Apr 1, 2024
1 parent 5a78950 commit e401cab
Showing 1 changed file with 53 additions and 4 deletions.
57 changes: 53 additions & 4 deletions .github/workflows/docker-image-scan.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ jobs:
runs-on: ubuntu-latest
outputs:
result: ${{ steps.trivy-result.outputs.result }}
result-alpine: ${{ steps.trivy-result-alpine.outputs.result }}
version: ${{ steps.extract-version.outputs.version }}
steps:
- name: Checkout code
Expand Down Expand Up @@ -59,7 +60,7 @@ jobs:
- name: Run Trivy json result
uses: aquasecurity/[email protected]
with:
image-ref: 'docker.io/holomekc/wiremock-gui'
image-ref: 'docker.io/holomekc/wiremock-gui:${{ needs.scan.outputs.version }}'
format: 'json'
exit-code: '0'
output: trivy-result.json
Expand All @@ -71,7 +72,7 @@ jobs:
- name: Run Trivy sarif result
uses: aquasecurity/[email protected]
with:
image-ref: 'docker.io/holomekc/wiremock-gui'
image-ref: 'docker.io/holomekc/wiremock-gui:${{ needs.scan.outputs.version }}'
format: 'sarif'
exit-code: '0'
output: trivy-result.sarif
Expand All @@ -84,7 +85,7 @@ jobs:
- name: Run Trivy sbom result
uses: aquasecurity/[email protected]
with:
image-ref: 'docker.io/holomekc/wiremock-gui'
image-ref: 'docker.io/holomekc/wiremock-gui:${{ needs.scan.outputs.version }}'
format: 'github'
exit-code: '0'
output: dependency-results.sbom.json
Expand All @@ -94,6 +95,44 @@ jobs:
hide-progress: true
cache-dir: .trivy
github-pat: ${{ secrets.GITHUB_TOKEN }}
- name: Run Trivy json result
uses: aquasecurity/[email protected]
with:
image-ref: 'docker.io/holomekc/wiremock-gui:${{ needs.scan.outputs.version }}-alpine'
format: 'json'
exit-code: '0'
output: trivy-result-alpine.json
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
hide-progress: true
cache-dir: .trivy
- name: Run Trivy sarif result
uses: aquasecurity/[email protected]
with:
image-ref: 'docker.io/holomekc/wiremock-gui:${{ needs.scan.outputs.version }}-alpine'
format: 'sarif'
exit-code: '0'
output: trivy-result-alpine.sarif
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
limit-severities-for-sarif: true
hide-progress: true
cache-dir: .trivy
- name: Run Trivy sbom result
uses: aquasecurity/[email protected]
with:
image-ref: 'docker.io/holomekc/wiremock-gui:${{ needs.scan.outputs.version }}-alpine'
format: 'github'
exit-code: '0'
output: dependency-results-alpine.sbom.json
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
hide-progress: true
cache-dir: .trivy
github-pat: ${{ secrets.GITHUB_TOKEN }}
- name: Fix .trivy permissions
run: sudo chown -R $(stat . -c %u:%g) .trivy

Expand All @@ -107,6 +146,16 @@ jobs:
echo "result=${code}" >> $GITHUB_OUTPUT
cat trivy-result.sarif
- name: Check result
id: trivy-result-alpine
shell: bash
run: |
#!/bin/bash
cat trivy-result-alpine.json
jq -e 'select((.Results[].Vulnerabilities | length) > 0)' trivy-result-alpine.json && code=$? || code=$?
echo "result=${code}" >> $GITHUB_OUTPUT
cat trivy-result-alpine.sarif
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
Expand All @@ -115,7 +164,7 @@ jobs:
docker:
needs: [scan]
# Looks strange, but 0=Vulnerabilities found
if: ${{ needs.scan.outputs.result == 0 }}
if: ${{ needs.scan.outputs.result == 0 || needs.scan.outputs.result-alpine == 0 }}
uses: ./.github/workflows/docker-release.yml
with:
version: ${{ needs.scan.outputs.version }}
Expand Down

0 comments on commit e401cab

Please sign in to comment.