Skip to content

Commit 8eff7ed

Browse files
welpaolowelpaolo
authored
[DPE-2921] Add trivy security scanning pipeline (#55)
1 parent 427c046 commit 8eff7ed

File tree

3 files changed

+49
-11
lines changed

3 files changed

+49
-11
lines changed

.github/workflows/build.yaml

-5
Original file line numberDiff line numberDiff line change
@@ -31,11 +31,6 @@ jobs:
3131

3232
- name: Install dependencies
3333
run: |
34-
sudo snap install docker
35-
sudo addgroup --system docker; sudo adduser $USER docker
36-
newgrp docker
37-
sudo snap disable docker; sudo snap enable docker
38-
3934
sudo snap install yq
4035
sudo snap install rockcraft --classic --edge
4136
sudo snap install --devmode --channel edge skopeo

.github/workflows/publish.yaml

+1-6
Original file line numberDiff line numberDiff line change
@@ -52,12 +52,7 @@ jobs:
5252
uses: actions/checkout@v3
5353

5454
- name: Install dependencies
55-
run: |
56-
sudo snap install docker
57-
sudo addgroup --system docker; sudo adduser $USER docker
58-
newgrp docker
59-
sudo snap disable docker; sudo snap enable docker
60-
55+
run: |
6156
sudo snap install yq
6257
6358
- name: Login to GitHub Container Registry

.github/workflows/trivy.yml

+48
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
name: trivy
2+
on:
3+
pull_request:
4+
5+
jobs:
6+
build:
7+
uses: ./.github/workflows/build.yaml
8+
scan:
9+
name: Trivy scan
10+
needs: build
11+
runs-on: ubuntu-20.04
12+
steps:
13+
- name: Checkout code
14+
uses: actions/checkout@v3
15+
- name: Install skopeo
16+
run: |
17+
sudo snap install --devmode --channel edge skopeo
18+
- name: Get Artifact Name
19+
id: artifact
20+
run: |
21+
ARTIFACT=$(make help | grep 'Artifact: ')
22+
echo "name=${ARTIFACT#'Artifact: '}" >> $GITHUB_OUTPUT
23+
- name: Download artifact
24+
uses: actions/download-artifact@v3
25+
with:
26+
name: charmed-spark
27+
path: charmed-spark
28+
- name: Import locally
29+
run: |
30+
# Unpack artifact
31+
mv charmed-spark/${{ steps.artifact.outputs.name }} .
32+
rmdir charmed-spark
33+
sudo skopeo --insecure-policy copy \
34+
docker-archive:${{ steps.artifact.outputs.name }} \
35+
docker-daemon:trivy/charmed-spark:test
36+
- name: Run Trivy vulnerability scanner
37+
uses: aquasecurity/trivy-action@master
38+
with:
39+
image-ref: 'trivy/charmed-spark:test'
40+
format: 'sarif'
41+
output: 'trivy-results.sarif'
42+
severity: 'MEDIUM,HIGH,CRITICAL'
43+
44+
- name: Upload Trivy scan results to GitHub Security tab
45+
uses: github/codeql-action/upload-sarif@v2
46+
if: always()
47+
with:
48+
sarif_file: 'trivy-results.sarif'

0 commit comments

Comments
 (0)