Add trivy vulnerability scanner in build step #872
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Image build | |
| on: [pull_request] | |
| jobs: | |
| build-thin: | |
| name: Image build thin plugin | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out code into the Go module directory | |
| uses: actions/checkout@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| # note: disable sbom/provenance for now (gchr.io does not managed well yet) | |
| - name: Build container image | |
| uses: docker/build-push-action@v3 | |
| with: | |
| context: . | |
| push: false | |
| tags: ghcr.io/${{ github.repository }}:latest | |
| file: images/Dockerfile | |
| platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/ppc64le,linux/s390x | |
| sbom: false | |
| provenance: false | |
| # note: disable sbom/provenance for now (gchr.io does not managed well yet) | |
| - name: Build container debug image | |
| uses: docker/build-push-action@v3 | |
| with: | |
| context: . | |
| push: false | |
| tags: ghcr.io/${{ github.repository }}:latest | |
| file: images/Dockerfile.debug | |
| platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/ppc64le,linux/s390x | |
| sbom: false | |
| provenance: false | |
| build-amd64-thick: | |
| name: Image build/amd64 thick plugin | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out code into the Go module directory | |
| uses: actions/checkout@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| - name: Build container image | |
| uses: docker/build-push-action@v3 | |
| with: | |
| context: . | |
| push: false | |
| tags: ghcr.io/${{ github.repository }}:latest-amd64-thick | |
| file: images/Dockerfile.thick | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: ghcr.io/${{ github.repository }}:latest-amd64-thick | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| build-origin: | |
| name: Image build/origin | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out code into the Go module directory | |
| uses: actions/checkout@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| - name: Download OKD Builder Dockerfile | |
| run: curl https://raw.githubusercontent.com/okd-project/images/main/builder/Dockerfile -o images/okd-builder.Dockerfile | |
| - name: Patch OKD Builder Dockerfile to workaround error | |
| run: sed -i -e "s/yum install -y yum-utils/rpm --import \/etc\/pki\/rpm-gpg\/*;yum install -y yum-utils/" images/okd-builder.Dockerfile | |
| - name: Create root for builder | |
| run: mkdir root | |
| - name: Organically build golang builder image | |
| run: docker build -t local/okdbuilder:latest -f images/okd-builder.Dockerfile . | |
| - name: Organically build Multus origin image | |
| run: docker build -t local/multus-cni:latest-origin -f images/Dockerfile.openshift . |