Include vulnerability scan in the docker build step #139
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Publish Docker Images | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - '**' | |
| tags: | |
| - 'v*.*.*' | |
| pull_request: | |
| jobs: | |
| build_and_publish: | |
| name: Build and Publish Docker images | |
| permissions: | |
| contents: read | |
| security-events: write | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| version: | |
| - '3.7.1' | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to Container Registry | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ secrets.DOCKER_REGISTRY_USERNAME }} | |
| password: ${{ secrets.DOCKER_REGISTRY_TOKEN }} | |
| # GS64 server image | |
| - name: Gather docker meta data for server image | |
| id: docker_meta_runtime | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ghcr.io/${{ github.repository_owner }}/gs64 | |
| - name: Docker build and push server image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: ./source | |
| file: ./source/Dockerfile | |
| build-args: GS_VERSION=${{ matrix.version }} | |
| target: docker-gs64-server | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ${{ steps.docker_meta_runtime.outputs.tags }} | |
| labels: ${{ steps.docker_meta_runtime.outputs.labels }} | |
| secrets: GIT_AUTH_TOKEN=${{ secrets.DOCKER_REGISTRY_TOKEN }} | |
| # GS64 server image + rowan extent | |
| - name: Gather docker meta data for rowan image | |
| id: docker_meta_runtime_rowan | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ghcr.io/${{ github.repository_owner }}/gs64-rowan | |
| - name: Docker build and push rowan image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: ./source | |
| file: ./source/Dockerfile | |
| build-args: GS_VERSION=${{ matrix.version }} | |
| target: docker-gs64-rowan | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ${{ steps.docker_meta_runtime_rowan.outputs.tags }} | |
| labels: ${{ steps.docker_meta_runtime_rowan.outputs.labels }} | |
| secrets: GIT_AUTH_TOKEN=${{ secrets.DOCKER_REGISTRY_TOKEN }} | |
| # GS64 server image + base extent0.dbf | |
| - name: Gather docker meta data for base image | |
| id: docker_meta_runtime_base | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ghcr.io/${{ github.repository_owner }}/gs64-base | |
| - name: Docker build and push base image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: ./source | |
| file: ./source/Dockerfile | |
| build-args: GS_VERSION=${{ matrix.version }} | |
| target: docker-gs64-base | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ${{ steps.docker_meta_runtime_base.outputs.tags }} | |
| labels: ${{ steps.docker_meta_runtime_base.outputs.labels }} | |
| secrets: GIT_AUTH_TOKEN=${{ secrets.DOCKER_REGISTRY_TOKEN }} | |
| # GS64 gem image | |
| - name: Gather docker meta data for gem image | |
| id: docker_meta_runtime_gem | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ghcr.io/${{ github.repository_owner }}/gs64-gem | |
| - name: Docker build and push gem image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: ./source | |
| file: ./source/Dockerfile | |
| build-args: GS_VERSION=${{ matrix.version }} | |
| target: docker-gs64-gem | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ${{ steps.docker_meta_runtime_gem.outputs.tags }} | |
| labels: ${{ steps.docker_meta_runtime_gem.outputs.labels }} | |
| secrets: GIT_AUTH_TOKEN=${{ secrets.DOCKER_REGISTRY_TOKEN }} | |
| # Scan for vulnerabilities | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ghcr.io/${{ github.repository_owner }}/gs64:${{ github.sha }} | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| limit-severities-for-sarif: true | |
| ignore-unfixed: true | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: 'trivy-results.sarif' |