Skip to content
trivy

[DPE-6365] add trivy to github workflow #9

Sign in to view logs

[DPE-6365] add trivy to github workflow

[DPE-6365] add trivy to github workflow #9

Workflow file for this run

.github/workflows/trivy.yaml at 1a6ab93
name: trivy
on:
push:
branches:
- 6-22.04
- 5-22.04
pull_request:
workflow_call:
inputs:
branch:
type: string
default: ""
jobs:
build:
name: Build rock
uses: canonical/data-platform-workflows/.github/workflows/build_rock.yaml@v29.0.1
scan:
name: Trivy scan and sbom generation
needs: build
runs-on: ubuntu-20.04
steps:
- name: Checkout repo
uses: actions/checkout@v3
- name: Install required dependencies
run: |
# docker
sudo snap install docker
sudo addgroup --system docker; sudo adduser $USER docker
newgrp docker
sudo snap disable docker; sudo snap enable docker
# skopeo
sudo snap install --devmode --channel edge skopeo
# yq
sudo snap install yq
- name: Download rock package(s)
uses: actions/download-artifact@v4
with:
pattern: ${{ needs.build.outputs.artifact-prefix }}-*
merge-multiple: true
- name: Import locally
run: |
full_version="$(cat rockcraft.yaml | yq .version)"
ls
sudo skopeo \
--insecure-policy \
copy \
oci-archive:charmed-mongodb_${full_version}_amd64.rock \
docker-daemon:trivy/charmed-mongodb:test
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: "trivy/charmed-mongodb:test"
format: "sarif"
output: "trivy-results.sarif"
severity: "MEDIUM,HIGH,CRITICAL"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: "trivy-results.sarif"
ref: ${{ inputs.branch }}
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
uses: aquasecurity/trivy-action@0.28.0
with:
scan-type: "image"
format: "spdx-json"
output: "dependency-results.sbom.json"
image-ref: "trivy/charmed-mongodb:test"
github-pat: ${{ secrets.GITHUB_TOKEN }}
severity: "MEDIUM,HIGH,CRITICAL"
scanners: "vuln"
- name: Upload trivy report as a Github artifact
uses: actions/upload-artifact@v4
with:
name: trivy-sbom-report
path: "${{ github.workspace }}/dependency-results.sbom.json"
retention-days: 90