-
-
Notifications
You must be signed in to change notification settings - Fork 784
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ci: add trivy image scanning (#1663)
* add trivy image scanning * implement as partial workflow * support both the frontend and backend Dockerfiles for scanning * fix docker build context location
- Loading branch information
1 parent
82dc586
commit 0801f0a
Showing
3 changed files
with
70 additions
and
0 deletions.
There are no files selected for viewing
31 changes: 31 additions & 0 deletions
31
.github/workflows/partial-trivy-backend-container-scanning.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| name: Trivy Backend Container Scanning | ||
|
|
||
| on: | ||
| workflow_call: | ||
|
|
||
| jobs: | ||
| build: | ||
| name: Build and Scan Backend Container | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| fail-fast: true | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Build Dockerfile | ||
| run: | | ||
| docker build -t mealie . | ||
| - name: Run Trivy vulnerability scanner | ||
| uses: aquasecurity/trivy-action@master | ||
| with: | ||
| ignore-unfixed: true | ||
| image-ref: "mealie" | ||
| format: "sarif" | ||
| output: "trivy-results.sarif" | ||
|
|
||
| - name: Upload Trivy scan results to GitHub Security tab | ||
| uses: github/codeql-action/upload-sarif@v2 | ||
| with: | ||
| sarif_file: "trivy-results.sarif" |
31 changes: 31 additions & 0 deletions
31
.github/workflows/partial-trivy-frontend-container-scanning.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| name: Trivy Frontend Container Scanning | ||
|
|
||
| on: | ||
| workflow_call: | ||
|
|
||
| jobs: | ||
| build: | ||
| name: Build and Scan Frontend Container | ||
| runs-on: ubuntu-latest | ||
| strategy: | ||
| fail-fast: true | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v3 | ||
|
|
||
| - name: Build Dockerfile | ||
| run: | | ||
| docker build -t mealie ./frontend/ | ||
| - name: Run Trivy vulnerability scanner | ||
| uses: aquasecurity/trivy-action@master | ||
| with: | ||
| ignore-unfixed: true | ||
| image-ref: "mealie" | ||
| format: "sarif" | ||
| output: "trivy-results.sarif" | ||
|
|
||
| - name: Upload Trivy scan results to GitHub Security tab | ||
| uses: github/codeql-action/upload-sarif@v2 | ||
| with: | ||
| sarif_file: "trivy-results.sarif" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters