diff --git a/.github/workflows/trivy-scan-connector-template.yml b/.github/workflows/trivy-scan-connector-template.yml new file mode 100644 index 00000000..04e7d098 --- /dev/null +++ b/.github/workflows/trivy-scan-connector-template.yml @@ -0,0 +1,60 @@ +name: Trivy + +on: + workflow_call: + inputs: + additional-build-flags: + required: false + type: string + default: "" + +jobs: + ubuntu-build: + name: Build on Ubuntu + runs-on: ubuntu-latest + if: github.repository_owner == 'ballerina-platform' + steps: + - uses: actions/checkout@v3 + + - name: Get Ballerina Version + run: | + BAL_VERSION=$(grep -w 'ballerinaLangVersion' gradle.properties | cut -d= -f2 | rev | cut --complement -d- -f1 | rev) + if [ -z "$BAL_VERSION" ]; then + BAL_VERSION="latest" + fi + echo "BAL_VERSION=$BAL_VERSION" >> $GITHUB_ENV + echo "Ballerina Version: $BAL_VERSION" + + - name: Set Up Ballerina + uses: ballerina-platform/setup-ballerina@v1.1.3 + with: + version: ${{ env.BAL_VERSION }} + + - name: Set up JDK 17 + uses: actions/setup-java@v3 + with: + distribution: "temurin" + java-version: 17.0.7 + + - name: Build with Gradle + env: + packageUser: ${{ github.actor }} + packagePAT: ${{ secrets.GITHUB_TOKEN }} + run: ./gradlew build -x test ${{ inputs.additional-build-flags }} + + - name: Create lib directory if not exists + run: mkdir -p ballerina/lib + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db + TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db + with: + scan-type: "rootfs" + scan-ref: "${{ github.workspace }}/ballerina/lib" + format: "table" + timeout: "10m0s" + exit-code: "1" + scanners: "vuln" + cache-dir: "/tmp/trivy-cache"