Skip to content

Commit

Permalink
[CI] Update builds so that Trivy scan is in a separate job. (#487)
Browse files Browse the repository at this point in the history
  • Loading branch information
@corneil
corneil authored Nov 6, 2024
1 parent 9cb0f09 commit ff43359
Show file tree
Hide file tree
Showing 4 changed files with 104 additions and 36 deletions.
38 changes: 26 additions & 12 deletions .github/workflows/build-snapshot-worker.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,18 +64,6 @@ jobs:
path: '**/surefire-reports/*.xml'
reporter: java-junit
list-tests: 'failed'
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
# zoo success
- name: Notify Build Success Zoo Handler Controller
uses: jvalkeal/[email protected]
Expand All @@ -101,3 +89,29 @@ jobs:
- name: Clean cache
run: |
find ~/.m2/repository -type d -name '*SNAPSHOT' | xargs rm -fr
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
- name: 'Scanned'
shell: bash
run: echo "::info ::Scanned"
done:
runs-on: ubuntu-latest
needs: [ scan, build ]
steps:
- name: 'Done'
shell: bash
run: echo "::info ::Done"
38 changes: 26 additions & 12 deletions .github/workflows/milestone-worker.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,18 +68,6 @@ jobs:
jfrog rt build-publish
echo BUILD_ZOO_HANDLER_spring_cloud_deployer_buildname=spring-cloud-deployer-main-milestone >> $GITHUB_ENV
echo BUILD_ZOO_HANDLER_spring_cloud_deployer_buildnumber=$GITHUB_RUN_NUMBER >> $GITHUB_ENV
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
# zoo tag
- name: Tag Release
uses: jvalkeal/[email protected]
Expand Down Expand Up @@ -113,3 +101,29 @@ jobs:
- name: Clean cache
run: |
find ~/.m2/repository -type d -name '*SNAPSHOT' | xargs rm -fr
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
- name: 'Scanned'
shell: bash
run: echo "::info ::Scanned"
done:
runs-on: ubuntu-latest
needs: [ scan, build ]
steps:
- name: 'Done'
shell: bash
run: echo "::info ::Done"
26 changes: 26 additions & 0 deletions .github/workflows/next-dev-version-worker.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,3 +97,29 @@ jobs:
- name: Clean cache
run: |
find ~/.m2/repository -type d -name '*SNAPSHOT' | xargs rm -fr
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
- name: 'Scanned'
shell: bash
run: echo "::info ::Scanned"
done:
runs-on: ubuntu-latest
needs: [ scan, build ]
steps:
- name: 'Done'
shell: bash
run: echo "::info ::Done"
38 changes: 26 additions & 12 deletions .github/workflows/release-worker.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,18 +66,6 @@ jobs:
jfrog rt build-publish
echo BUILD_ZOO_HANDLER_spring_cloud_deployer_buildname=spring-cloud-deployer-main-release >> $GITHUB_ENV
echo BUILD_ZOO_HANDLER_spring_cloud_deployer_buildnumber=$GITHUB_RUN_NUMBER >> $GITHUB_ENV
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
# zoo tag
- name: Tag Release
uses: jvalkeal/[email protected]
Expand Down Expand Up @@ -111,3 +99,29 @@ jobs:
- name: Clean cache
run: |
find ~/.m2/repository -type d -name '*SNAPSHOT' | xargs rm -fr
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
- name: 'Scanned'
shell: bash
run: echo "::info ::Scanned"
done:
runs-on: ubuntu-latest
needs: [ scan, build ]
steps:
- name: 'Done'
shell: bash
run: echo "::info ::Done"

0 comments on commit ff43359

Please sign in to comment.