Bump aquasecurity/trivy-action from 0.13.0 to 0.16.1 #296
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# Workflow syntax for GitHub Actions: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions | |
# Build Application and Upload Container Image to Docker Hub | |
name: Build and Scan Image | |
# Events: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows | |
on: | |
# Run workflow on push except for ignored branches and paths | |
push: | |
# Secrets aren't available for dependabot on push. https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/troubleshooting-the-codeql-workflow#error-403-resource-not-accessible-by-integration-when-using-dependabot | |
branches-ignore: | |
# - 'dependabot/**' | |
- 'cherry-pick-*' | |
paths-ignore: | |
- '**.md' # Ignore documentation changes | |
- '.github/**(!build.yml)' # Ignore other workflow changes | |
# Run workflow on pull request | |
pull_request: # By default, a workflow only runs when a pull_request event's activity type is opened, synchronize, or reopened | |
# Allow user to manually trigger Workflow execution | |
workflow_dispatch: | |
# Set Workflow-level permissions: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs | |
permissions: | |
contents: read | |
# Run a single job at a time: https://docs.github.com/en/actions/using-jobs/using-concurrency | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
build: | |
# Run job when not triggered by a merge | |
if: (github.event_name == 'push' && contains(toJSON(github.event.head_commit.message), 'Merge pull request ') == false) || (github.event_name != 'push') | |
runs-on: ubuntu-latest | |
environment: docker-hub # Use `docker-hub` repository environment | |
# Set Job-level environment variables | |
env: | |
MYSQL_DATABASE: demoapp | |
MYSQL_USER: user | |
MYSQL_PASSWORD: password | |
MYSQL_ROOT_PASSWORD: local | |
# Select builder from: ["docker", "maven"] | |
# "docker" uses multi-stage build | |
# "maven" uses dockerfile-maven-plugin | |
BUILDERS: '["docker", "maven"]' | |
BUILDER: maven | |
# Uncomment lines below to run `build` job on container | |
# Note: container image must contains commands required for step execution, e.g. docker, gzip, etc. | |
# container: | |
# image: mcr.microsoft.com/openjdk/jdk:17-ubuntu # Image Java version must match with `project.version` in pom.xml | |
# # Set credentials when container registry requires authentication to pull the image | |
# # credentials: | |
# # username: ${{ github.actor }} | |
# # password: ${{ secrets.github_token }} | |
services: | |
mysql: | |
image: mysql:8.0 # Use same mysql image from devcontainer.json | |
env: | |
MYSQL_DATABASE: ${{ env.MYSQL_DATABASE }} | |
MYSQL_USER: ${{ env.MYSQL_USER }} | |
MYSQL_PASSWORD: ${{ env.MYSQL_PASSWORD }} | |
MYSQL_ROOT_PASSWORD: ${{ env.MYSQL_ROOT_PASSWORD }} | |
# Ports are required only when `container` keyword is not defined | |
ports: | |
- 3306:3306 # Opens tcp port 3306 on the host and service container | |
steps: | |
# Workaround for the absence of github.branch_name, use github-env-vars-action to define useful environment variables not available by default | |
- uses: FranzDiebold/github-env-vars-action@v2 # https://github.com/marketplace/actions/github-environment-variables-action | |
# Set Complete Container Image URL | |
- name: Set CONTAINER_IMAGE_URL | |
run: | | |
echo "CONTAINER_IMAGE_URL=${{ vars.DOCKER_REGISTRY_URL }}/${{ vars.DOCKER_REPOSITORY }}/${{ env.CI_REPOSITORY_NAME }}:${{ env.CI_ACTION_REF_NAME }}" >> $GITHUB_ENV | |
# Fail job when invalid builder is selected | |
- name: Check BUILDER environment variable | |
# if expression clarification: https://github.com/github/docs/blob/main/data/reusables/actions/expression-syntax-if.md | |
if: ${{! contains(fromJSON(env.BUILDERS), env.BUILDER) }} | |
run: | | |
echo "Invalid builder: ${{ env.BUILDER }}" | |
echo "Builders: ${{ env.BUILDERS }}" | |
exit 1 | |
- name: Checkout repository | |
uses: actions/checkout@v4 # https://github.com/marketplace/actions/checkout | |
# Setup Java | |
- uses: actions/setup-java@v3 # https://github.com/actions/setup-java | |
with: | |
distribution: microsoft # Microsoft was selected to match Visual Studio Code Dev Container Java distribuition, see .devcontainer/devcontainer.json. Supported distributions: https://github.com/actions/setup-java#supported-distributions | |
java-version: '17' # Java version must match `project.properties['java.version']` in pom.xml | |
# Cache Maven dependencies | |
- name: Install and Cache Maven dependencies | |
id: cache | |
uses: actions/cache@v3 # https://github.com/marketplace/actions/cache#using-a-combination-of-restore-and-save-actions | |
with: | |
path: | | |
~/.m2 | |
key: maven-${{ hashFiles('**/pom.xml') }} | |
- name: Set up QEMU | |
if: env.BUILDER == 'docker' | |
uses: docker/setup-qemu-action@v3 # https://github.com/marketplace/actions/docker-setup-qemu | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 # https://github.com/marketplace/actions/docker-setup-build | |
- name: Login to DockerHub | |
uses: docker/login-action@v3 # https://github.com/marketplace/actions/docker-login | |
with: | |
registry: ${{ vars.DOCKER_REGISTRY_URL }} | |
username: ${{ secrets.DOCKER_REGISTRY_USERNAME }} | |
password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }} | |
# Build with Maven and Upload Container Image to Docker Hub | |
- name: Maven Build | |
if: env.BUILDER == 'maven' | |
env: | |
# Use localhost when `container` keyword is not defined | |
SPRING_DATASOURCE_URL: jdbc:mysql://localhost:3306/demoapp | |
# Use service name when `container` keyword is defined | |
# SPRING_DATASOURCE_URL: jdbc:mysql://mysql:3306/demoapp | |
SPRING_DATASOURCE_USERNAME: root | |
SPRING_DATASOURCE_PASSWORD: ${{ env.MYSQL_ROOT_PASSWORD }} | |
# Use `vars` context when using repository environment variables: https://docs.github.com/en/actions/learn-github-actions/contexts#vars-context | |
run: | | |
mvn package -Ddockerfile.skip=true \ | |
-Drevision=${{ env.CI_ACTION_REF_NAME }} \ | |
-DDOCKER_REGISTRY_URL=${{ vars.DOCKER_REGISTRY_URL }}/${{ vars.DOCKER_REPOSITORY }}/ | |
- name: Docker Build and Push | |
if: env.BUILDER == 'maven' | |
uses: docker/build-push-action@v5 # https://github.com/marketplace/actions/build-and-push-docker-images | |
with: | |
context: . | |
file: Containerfile | |
# build-args syntax clarification: https://github.com/docker/build-push-action/issues/557#issuecomment-1030412477 | |
build-args: | | |
"JAR_FILE=${{ env.CI_REPOSITORY_NAME }}-${{ env.CI_ACTION_REF_NAME }}.jar" | |
push: true | |
tags: ${{ env.CONTAINER_IMAGE_URL }} # CONTAINER_IMAGE_URL is defined in GITHUB_ENV | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
- name: Docker Build and Push (Multi-Stage) | |
if: env.BUILDER == 'docker' | |
uses: docker/build-push-action@v5 # https://github.com/marketplace/actions/build-and-push-docker-images | |
with: | |
context: . | |
file: Containerfile.multistage | |
push: true | |
tags: ${{ env.CONTAINER_IMAGE_URL }} # CONTAINER_IMAGE_URL is defined in GITHUB_ENV | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
container-structure-test: | |
needs: build | |
runs-on: ubuntu-latest | |
environment: docker-hub # Use `docker-hub` repository environment | |
steps: | |
# Workaround for the absence of github.branch_name, use github-env-vars-action to define useful environment variables not available by default | |
- uses: FranzDiebold/github-env-vars-action@v2 # https://github.com/marketplace/actions/github-environment-variables-action | |
# Set Complete Container Image URL | |
- name: Set CONTAINER_IMAGE_URL | |
run: | | |
echo "CONTAINER_IMAGE_URL=${{ vars.DOCKER_REGISTRY_URL }}/${{ vars.DOCKER_REPOSITORY }}/${{ env.CI_REPOSITORY_NAME }}:${{ env.CI_ACTION_REF_NAME }}" >> $GITHUB_ENV | |
- name: Login to DockerHub | |
uses: docker/login-action@v3 # https://github.com/marketplace/actions/docker-login | |
with: | |
registry: ${{ vars.DOCKER_REGISTRY_URL }} | |
username: ${{ secrets.DOCKER_REGISTRY_USERNAME }} | |
password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }} | |
- name: Pull Container Image | |
# CONTAINER_IMAGE_URL is defined in GITHUB_ENV | |
run: | | |
docker pull ${{ env.CONTAINER_IMAGE_URL }} | |
- name: Checkout repository | |
uses: actions/checkout@v4 # https://github.com/marketplace/actions/checkout | |
- name: Run Container Structure Test | |
uses: ./.github/actions/container-structure-test | |
with: | |
image: ${{ env.CONTAINER_IMAGE_URL }} # CONTAINER_IMAGE_URL is defined in GITHUB_ENV | |
configFile: ./container-structure-test.yaml | |
scan: | |
needs: build | |
runs-on: ubuntu-latest | |
# Set Job-level permissions: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions | |
permissions: | |
security-events: write # Allow Job to upload scan results to GitHub | |
environment: docker-hub # Use `docker-hub` repository environment | |
env: | |
TRIVY_CACHE_DIR: /tmp/trivy/ | |
steps: | |
# Workaround for the absence of github.branch_name, use github-env-vars-action to define useful environment variables not available by default | |
- uses: FranzDiebold/github-env-vars-action@v2 # https://github.com/marketplace/actions/github-environment-variables-action | |
# Set Complete Container Image URL | |
- name: Set CONTAINER_IMAGE_URL | |
run: | | |
echo "CONTAINER_IMAGE_URL=${{ vars.DOCKER_REGISTRY_URL }}/${{ vars.DOCKER_REPOSITORY }}/${{ env.CI_REPOSITORY_NAME }}:${{ env.CI_ACTION_REF_NAME }}" >> $GITHUB_ENV | |
- name: Checkout repository | |
uses: actions/checkout@v4 # https://github.com/marketplace/actions/checkout | |
- name: Cache Trivy | |
id: cache | |
uses: actions/cache@v3 # https://github.com/marketplace/actions/cache#using-a-combination-of-restore-and-save-actions | |
with: | |
path: ${{ env.TRIVY_CACHE_DIR }} | |
key: trivy-${{ hashFiles('**/pom.xml', '**/Containerfile*') }} # Trivy scan results are influenced by maven dependencies and Containerfile runtime image | |
- name: Scan Image with Aqua Security Trivy | |
uses: aquasecurity/trivy-action@0.16.1 # https://github.com/marketplace/actions/aqua-security-trivy | |
with: | |
image-ref: ${{ env.CONTAINER_IMAGE_URL }} # CONTAINER_IMAGE_URL is defined in GITHUB_ENV | |
vuln-type: 'os,library' | |
severity: 'LOW,MEDIUM,HIGH,CRITICAL' | |
scanners: 'vuln,secret,config' | |
ignore-unfixed: true | |
exit-code: '1' | |
cache-dir: ${{ env.TRIVY_CACHE_DIR }} | |
format: sarif | |
output: 'trivy-results.sarif' | |
env: | |
TRIVY_USERNAME: ${{ secrets.DOCKER_REGISTRY_USERNAME }} | |
TRIVY_PASSWORD: ${{ secrets.DOCKER_REGISTRY_PASSWORD }} | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2.22.5 # https://github.com/github/codeql-action/tree/main/upload-sarif | |
with: | |
sarif_file: 'trivy-results.sarif' |