feat: feat: add trivy vulnerability check

halestudio · Jun 5, 2024 · 7bdc6df · 7bdc6df
1 parent 72bef35
commit 7bdc6df
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 15 deletions.
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -110,6 +110,16 @@ jobs:
           path: build/target/hale-studio-*macosx*.dmg
           retention-days: 14
 
+      - name: Run Trivy scan
+        run: |
+          trivy rootfs --severity=CRITICAL,HIGH build/target/hale-studio-*linux* --format sarif --output trivy-results.sarif
+
+      - name: Upload Trivy scan results to file
+        uses: actions/upload-artifact@v2
+        with:
+          name: trivy-results
+          path: trivy-results.sarif    
+
       - name: Find artifact comment if it exists
         if: "! github.event.pull_request.head.repo.fork " # Only run with write permissions
         uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -26,6 +26,7 @@ jobs:
       actions: write # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     name: Build
     runs-on: ubuntu-latest
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -34,34 +35,48 @@ jobs:
       #  run: |
       #    docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
 
-      - name: Run Trivy vulnerability scanner in fs mode
-        uses: aquasecurity/trivy-action@master
-        with:
+      #- name: Run Trivy vulnerability scanner in fs mode
+      #  uses: aquasecurity/trivy-action@master
+      #  with:
           # image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
-          scan-type: 'fs'
-          scan-ref: '.'
+          #scan-type: 'fs'
+          #scan-ref: '.'
           #exit-code: '0'
           #ignore-unfixed: true
-          format: 'sarif'
+          #format: 'sarif'
           #vuln-type: 'os,library'
-          severity: 'CRITICAL,HIGH,MEDIUM'
+          #severity: 'CRITICAL,HIGH,MEDIUM'
           #template: '/sarif.tpl'
-          output: 'trivy-results.sarif'
+          #output: 'trivy-results.sarif'
           #skip-dirs: "ignored-dir"
           #trivy-config: trivy.yaml
 
-      #- name: Upload Trivy scan results as artifact
-      #  uses: actions/upload-artifact@v2
+      - name: Run Trivy scan
+        run: |
+          trivy fs --target /home/runner/work/hale/hale --debug --format sarif --output trivy-results.sarif
+
+      #- name: Run Trivy vulnerability scanner
+      #  uses: aquasecurity/trivy-action@0.20.0
       #  with:
-      #    name: trivy-results
-      #    path: trivy-results.sarif
+      #    scan-type: 'fs'
+      #    target: '/home/runner/work/hale/hale' 
+      #    format: 'sarif'
+      #    output: 'trivy-results.sarif'
+      #    severity: 'CRITICAL,HIGH'
+      #    debug: true
 
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
+      - name: Upload Trivy scan results to file
+        uses: actions/upload-artifact@v2
         with:
-          sarif_file: 'trivy-results.sarif'
+          name: trivy-results
+          path: trivy-results.sarif
 
+      # - name: Upload Trivy scan results to GitHub Security tab
+      #   uses: github/codeql-action/upload-sarif@v2
+      #   with:
+      #   sarif_file: 'trivy-results.sarif'
 
+
       #- name: Create Pull Request
       #  uses: peter-evans/create-pull-request@v5
       #  with: