Setup trivy scanning #27
Conversation
|
Should we maybe instead run Trivy daily on the existing latest image + on pull requests and push to |
.github/workflows/trivy.yml
Outdated
|
|
||
| - name: Build an image from Dockerfile | ||
| run: | | ||
| docker build -t docker.io/my-organization/my-app:${{ github.sha }} . |
There was a problem hiding this comment.
Are those really the literals my-organization and my-app, or are they placeholders?
Also I know nothing about this thing, could you please link to a reference for it?
There was a problem hiding this comment.
i would if i knew of one :D
Yes i think so, TBH i hadn't noticed that the content of this was non-sensicle |
|
@jgiannuzzi i think we should just move the 2 scan items to the docker build action we already have. i don't see the value in doing docker build twice. That also means we don't need to maintain the image name in 2 places which resolves what @greed42 flagged |
|
@eswdd agreed — and as a future improvement, we should also build the Docker image (but not push, of course) on pull requests |
Hopefully this will be blocked.
| @@ -21,17 +24,22 @@ jobs: | |||
|
|
|||
| - name: Build image | |||
| run: docker build -t image . | |||
|
|
|||
| - name: Sanitize repo slug | |||
| uses: actions/github-script@v4 | |||
There was a problem hiding this comment.
I think we should use the latest version of this action
| uses: actions/github-script@v4 | |
| uses: actions/github-script@v6 |
| - name: Run Trivy vulnerability scanner | ||
| uses: aquasecurity/trivy-action@2a2157eb22c08c9a1fac99263430307b8d1bc7a2 | ||
| with: | ||
| image-ref: '${{ steps.github_id.outputs.result }}:${{ github.sha }}' | ||
| format: 'template' | ||
| template: '@/contrib/sarif.tpl' | ||
| output: 'trivy-results.sarif' | ||
| severity: 'CRITICAL,HIGH' | ||
|
|
||
| - name: Upload Trivy scan results to GitHub Security tab | ||
| uses: github/codeql-action/upload-sarif@v1 | ||
| with: | ||
| sarif_file: 'trivy-results.sarif' |
There was a problem hiding this comment.
We may want to scan the image before we push it, to avoid pushing known vulnerable images.
In that case, we may want to refactor further, by using the proper image name straight for building, instead of image.
No description provided.