Skip to content

Commit

Permalink
feat: Add Trivy scanner to the pipeline
Browse files Browse the repository at this point in the history
Signed-off-by: Hubert Siwik <[email protected]>
Signed-off-by: hubert.siwik <[email protected]>
  • Loading branch information
hubert.siwik committed Nov 13, 2024
1 parent 1ef072c commit 3267dd5
Showing 1 changed file with 16 additions and 0 deletions.
16 changes: 16 additions & 0 deletions .github/workflows/verifyimage.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ jobs:
runs-on: ubuntu-latest
outputs:
targets: ${{ steps.generate.outputs.targets }}
repo: ${{ steps.metadata.outputs.repo }}
steps:
- name: Checkout
uses: actions/checkout@v4
Expand All @@ -25,6 +26,10 @@ jobs:
curl -sSL https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/modsecurity.conf-recommended -o modsecurity.conf-recommended
echo '${{ env.MODSECURITY_RECOMMENDED }}' > sha256sum.txt
sha256sum -c sha256sum.txt
# The environment variable is not accessible in the context of "with" section
- name: Set a repo output
id: metadata
run: echo "repo=${REPO}" >> "$GITHUB_OUTPUT"

build:
runs-on: ubuntu-latest
Expand Down Expand Up @@ -60,6 +65,17 @@ jobs:
load: true
push: false

- name: Scan ${{ matrix.target }}
uses: aquasecurity/[email protected]
with:
image-ref: ${{ needs.prepare.outputs.repo }}:${{ matrix.target }}
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
scanners: 'vuln,secret'

- name: Run ${{ matrix.target }}
run: |
echo "Starting container ${{ matrix.target }}"
Expand Down

0 comments on commit 3267dd5

Please sign in to comment.