pause cicd #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # name: Scan Image Comment Service | |
| # on: | |
| # workflow_call: | |
| # jobs: | |
| # scan-image: | |
| # name: Security Scan | |
| # runs-on: ubuntu-latest | |
| # steps: | |
| # - name: Install Trivy | |
| # run: | | |
| # sudo apt-get update | |
| # sudo apt-get install -y wget | |
| # wget https://github.com/aquasecurity/trivy/releases/download/v0.40.0/trivy_0.40.0_Linux-64bit.deb | |
| # sudo dpkg -i trivy_0.40.0_Linux-64bit.deb | |
| # - name: Scan Docker image with Trivy | |
| # id: scan-image | |
| # run: | | |
| # trivy image --format json --output scan-results.json datuits/devops-comment-service:latest | |
| # - name: Extract high and critical vulnerabilities | |
| # id: extract_vulnerabilities | |
| # run: | | |
| # jq -r ' | |
| # def hr(severity): | |
| # if severity == "HIGH" or severity == "CRITICAL" then true else false end; | |
| # def to_md: | |
| # "| " + (.VulnerabilityID // "") + " | " + (.PkgName // "") + " | " + (.InstalledVersion // "") + " | " + (.Severity // "") + " | " + (.Title // "") + " |"; | |
| # [ | |
| # "# Docker Image Scan Results", | |
| # "", | |
| # "## High and Critical Vulnerabilities", | |
| # "", | |
| # "| Vulnerability ID | Package | Version | Severity | Description |", | |
| # "|------------------|---------|---------|----------|-------------|", | |
| # (.Results[] | .Vulnerabilities[] | select(hr(.Severity)) | to_md), | |
| # "" | |
| # ] | join("\n") | |
| # ' scan-results.json > vulnerability-report.md | |
| # - name: Upload vulnerability report | |
| # uses: actions/upload-artifact@v2 | |
| # with: | |
| # name: vulnerability-report | |
| # path: vulnerability-report.md |