Update trivy-scan.yml #20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Trivy Scan | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - 'release-1*' | |
| - develop | |
| - '1.2.*' | |
| - master | |
| - test | |
| - MOSIP-35889 | |
| pull_request: | |
| branches: | |
| - main | |
| - 'release-1*' | |
| - develop | |
| - '1.2.*' | |
| - master | |
| - test | |
| - MOSIP-35889 | |
| jobs: | |
| trivy-scan: | |
| runs-on: ubuntu-latest | |
| env: | |
| SERVICE_NAME: partner-onboarder | |
| VERSION: ${{ github.event.number || 'latest' }} | |
| SERVICE_LOCATION: '.' | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v2 | |
| - name: Build Docker image | |
| run: | | |
| cd "${{ env.SERVICE_LOCATION }}" | |
| docker build . --file Dockerfile --tag ${{ env.SERVICE_NAME }}:${{ env.VERSION }} | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: '${{ env.SERVICE_NAME }}:${{ env.VERSION }}' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'HIGH,CRITICAL' | |
| ignore-unfixed: true # Optional: Ignores vulnerabilities without a fix | |
| exit-code: 1 # Fails the job if vulnerabilities are found at specified severities | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: 'trivy-results.sarif' |