Skip to content

Commit

Permalink
Merge pull request #3261 from cdr/jsjoeio/add-trivy
Browse files Browse the repository at this point in the history 
feat(ci): add trivy job for security
  • Loading branch information
@jsjoeio
jsjoeio authored May 4, 2021
2 parents f8d8ad3 + 6d5c603 commit 1070db7
Showing 1 changed file with 58 additions and 0 deletions.
58 changes: 58 additions & 0 deletions .github/workflows/ci.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -406,3 +406,61 @@ jobs:
with:
name: release-images
path: ./release-images

trivy-scan-image:
runs-on: ubuntu-20.04
needs: docker-amd64

steps:
- name: Checkout code
uses: actions/checkout@v2

- name: Download release images
uses: actions/download-artifact@v2
with:
name: release-images
path: ./release-images

- name: Run Trivy vulnerability scanner in image mode
# Commit SHA for v0.0.14
uses: aquasecurity/trivy-action@b38389f8efef9798810fe0c5b5096ac198cffd54
with:
input: "./release-images/code-server-amd64-*.tar"
scan-type: "image"
ignore-unfixed: true
format: "template"
template: "@/contrib/sarif.tpl"
output: "trivy-image-results.sarif"
severity: "HIGH,CRITICAL"

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: "trivy-image-results.sarif"

# We have to use two trivy jobs
# because GitHub only allows
# codeql/upload-sarif action per job
trivy-scan-repo:
runs-on: ubuntu-20.04

steps:
- name: Checkout code
uses: actions/checkout@v2

- name: Run Trivy vulnerability scanner in repo mode
# Commit SHA for v0.0.14
uses: aquasecurity/trivy-action@b38389f8efef9798810fe0c5b5096ac198cffd54
with:
scan-type: "fs"
scan-ref: "."
ignore-unfixed: true
format: "template"
template: "@/contrib/sarif.tpl"
output: "trivy-repo-results.sarif"
severity: "HIGH,CRITICAL"

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: "trivy-repo-results.sarif"

0 comments on commit 1070db7

Please sign in to comment.