Skip to content
trivy

[DPE-2921] Add trivy security scanning pipeline #7

Sign in to view logs

[DPE-2921] Add trivy security scanning pipeline

[DPE-2921] Add trivy security scanning pipeline #7

Workflow file for this run

.github/workflows/trivy.yml at 828aa7f
name: trivy
on:
pull_request:
jobs:
build:
uses: ./.github/workflows/build.yaml
scan:
name: Trivy scan
needs: build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Install skopeo
run: |
sudo snap install --devmode --channel edge skopeo
- name: Install and configure microk8s
run: |
make microk8s
- name: Get Artifact Name
id: artifact
run: |
ARTIFACT=$(make help | grep 'Artifact: ')
echo "name=${ARTIFACT#'Artifact: '}" >> $GITHUB_OUTPUT
- name: Download artifact
uses: actions/download-artifact@v3
with:
name: charmed-spark
path: charmed-spark
- name: Import locally
run: |
# Unpack artifact
mv charmed-spark/${{ steps.artifact.outputs.name }} .
ls -larth
rmdir charmed-spark
docker import ${{ steps.artifact.outputs.name }} ghcr.io/canonical/test-charmed-spark:test
# Import artifact into docker with new tag
# sg microk8s -c "microk8s ctr images import --base-name ghcr.io/canonical/test-charmed-spark:test ${{ steps.artifact.outputs.name }}"
docker images
sg microk8s -c "microk8s ctr images list"
docker tag ghcr.io/canonical/test-charmed-spark:test trivy/charmed-spark:test
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'trivy/charmed-spark:test'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'MEDIUM,HIGH,CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: 'trivy-results.sarif'