Merge pull request #10 from percona/EVEREST-726-trivy-checks

EVEREST-726 vulnerability check
percona · Mar 25, 2024 · 2456294 · 2456294
2 parents 2d96e1e + 4a31ad4
commit 2456294
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 0 deletions.
diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml
@@ -31,6 +31,21 @@ jobs:
           echo "Checking there is no source code changes"
           git diff --exit-code
 
+      - name: Build image to check it for vulnerabilities
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          push: false
+          tags: "perconalab/everest-catalog:0.0.0"
+          file: everest-catalog.Dockerfile
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: "perconalab/everest-catalog:0.0.0"
+          format: 'table'
+          severity: 'CRITICAL,HIGH'
+
       - name: Run debug commands on failure
         if: ${{ failure() }}
         run: |

diff --git a/.github/workflows/percona-build-push.yml b/.github/workflows/percona-build-push.yml
@@ -36,3 +36,12 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           file: everest-catalog.Dockerfile
+
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: "perconalab/everest-catalog:0.0.0"
+          format: 'table'
+          exit-code: '1'
+          severity: 'CRITICAL,HIGH'