fixup! ci: add Trivy vulnerability check and CodeQL static analysis

halestudio · Jun 19, 2024 · f32a1de · f32a1de
1 parent 01655af
commit f32a1de
Show file tree

Hide file tree

Showing 2 changed files with 56 additions and 23 deletions.
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -110,29 +110,6 @@ jobs:
           path: build/target/hale-studio-*macosx*.dmg
           retention-days: 14
 
-      - name: Extract the archive file
-        run: |
-          mkdir -p build/target/hale-studio-linux-trivy
-          tar -xzf build/target/hale-studio-*linux*.tar.gz -C build/target/hale-studio-linux-trivy
-
-      - name: Run Trivy vulnerability scanner in fs mode
-        uses: aquasecurity/trivy-action@master
-        with:
-          scan-type: 'rootfs'
-          scan-ref: 'build/target/hale-studio-linux-trivy'
-          format: 'sarif'
-          severity: 'CRITICAL,HIGH'
-          output: 'trivy-results.sarif'
-
-      - name: Upload Trivy SARIF report
-        uses: github/codeql-action/upload-sarif@v1
-        with:
-          sarif_file: trivy-results.sarif
-
-      - name: Cleanup extracted directory
-        run: |
-          rm -rf build/target/hale-studio-linux-trivy    
-
       - name: Find artifact comment if it exists
         if: "! github.event.pull_request.head.repo.fork " # Only run with write permissions
         uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e # v3.1.0
@@ -161,3 +138,31 @@ jobs:
 
             Build triggered for commit *${{ github.sha }}*.
             Artifacts are retained for 14 days.
+
+  trivy:
+    needs: [build]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download hale studio build (Linux)
+        uses: actions/download-artifact@v4
+        with:
+          name: hale studio (Linux)
+
+      - name: Extract the archive file
+        run: |
+          mkdir -p hale-studio-linux-trivy
+          tar -xzf hale-studio-*linux*.tar.gz -C hale-studio-linux-trivy
+
+      - name: Run Trivy vulnerability scanner in rootfs mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'rootfs'
+          scan-ref: 'hale-studio-linux-trivy'
+          format: 'sarif'
+          severity: 'CRITICAL,HIGH'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy SARIF report
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: trivy-results.sarif
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -132,3 +132,31 @@ jobs:
           channel: build-failures
           status: FAILED
           color: danger
+
+  trivy:
+    needs: [build]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download hale studio build (Linux)
+        uses: actions/download-artifact@v4
+        with:
+          name: hale studio (Linux)
+
+      - name: Extract the archive file
+        run: |
+          mkdir -p hale-studio-linux-trivy
+          tar -xzf hale-studio-*linux*.tar.gz -C hale-studio-linux-trivy
+
+      - name: Run Trivy vulnerability scanner in rootfs mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'rootfs'
+          scan-ref: 'hale-studio-linux-trivy'
+          format: 'sarif'
+          severity: 'CRITICAL,HIGH'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy SARIF report
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: trivy-results.sarif