Skip to content

Commit

Permalink
ci(container): switch scanner to Trivy
Browse files Browse the repository at this point in the history
Trivy should be capable of 1. have configurable list of CVEs zu ignore,
2. allow to filter unfixed vulns and 3. have a more decent SARIF template
for better integration into the Github Security Tab reports

gdcc/dataverse-kubernetes#115
  • Loading branch information
poikilotherm committed Jul 28, 2021
1 parent b7d5bc4 commit 0d7c177
Showing 1 changed file with 10 additions and 10 deletions.
20 changes: 10 additions & 10 deletions .github/workflows/ghcr_push_nightly.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,21 +41,21 @@ jobs:
key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
restore-keys: ${{ runner.os }}-m2

- name: Build images
- name: Build container images
run: mvn -Pct package -Dct.build.tag="${IMAGE_TAG}" -Dct.build.registry="${REGISTRY}"

- name: Scan Dataverse image
id: scan
uses: anchore/scan-action@v2
- name: Scan Dataverse Container Image for vulnerabilities
# https://github.com/aquasecurity/trivy-action
uses: aquasecurity/trivy-action@master
with:
image: "${{ env.REGISTRY }}/gdcc/dataverse-k8s:${{ env.IMAGE_TAG }}"
# fail-build: true
severity-cutoff: critical
acs-report-enable: true
- name: upload Anchore scan SARIF report
image-ref: '${{ env.REGISTRY }}/gdcc/dataverse-k8s:${{ env.IMAGE_TAG }}'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
- name: Upload scan results as SARIF report to GitHub Security Tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
sarif_file: 'trivy-results.sarif'

- name: Log in to the Container registry
uses: docker/login-action@v1
Expand Down

0 comments on commit 0d7c177

Please sign in to comment.