diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000..9f7c880 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,59 @@ +name: Trivy Scan + +on: + push: + branches: + - master + - develop + - develop2 + + pull_request: + branches: + - master + - develop + - develop2 + + +jobs: + trivy-scan: + runs-on: ubuntu-latest + env: + NAMESPACE: ${{ secrets.dev_namespace_docker_hub }} + SERVICE_NAME: databreachdetector + VERSION: latest # Modify this as needed or set dynamically based on your versioning scheme + + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Build Docker image + run: | + cd "${{ env.SERVICE_LOCATION }}" + docker build . --file databreachdetector/Dockerfile --tag ${{ env.SERVICE_NAME }}:${{ env.VERSION }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.20.0 + with: + image-ref: 'docker.io/${{ env.SERVICE_NAME }}:${{ env.VERSION }}' + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Report vulnerabilities in PR + if: failure() && steps.scan.outcome == 'failure' + env: + GITHUB_TOKEN: ${{ inputs.github_token }} + shell: bash + run: | + echo -n "{\"body\":\"### Vulnerabilities detected\nThe following vulnerabilities of HIGH or CRITICAL severity has been detected in the code. Please resolve these before merging the pull request.\n\n" > result.json + cat trivy.json | sort | uniq | tr -d '\n' >> result.json + echo "\"}" >> result.json + curl -X POST -H "Accept: application/vnd.github+json" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + -H "Authorization: Bearer $GITHUB_TOKEN" \ + ${{ github.event.pull_request.comments_url }} \ + -d @result.json + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif'