Improve vulnerabiltiy scanning #326

Workflow file for this run

.github/workflows/docker-build.yml at f1895dd

	name: Build and Publish Pharo Docker Images
	on:
	workflow_dispatch:
	push:
	branches:
	- '**'
	tags:
	- 'v..*'
	pull_request:
	jobs:
	build_and_publish:
	runs-on: ubuntu-latest
	name: Build and Publish Docker images
	permissions:
	contents: read
	security-events: write
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	- name: Docker meta
	id: docker_meta
	uses: docker/metadata-action@v5
	with:
	images: ghcr.io/${{ github.repository_owner }}/launchpad
	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3
	- name: Login to Container Registry
	if: github.event_name != 'pull_request'
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ secrets.DOCKER_REGISTRY_USERNAME }}
	password: ${{ secrets.DOCKER_REGISTRY_TOKEN }}
	- name: Docker build and push
	uses: docker/build-push-action@v5
	with:
	context: ./docker/pharo
	push: ${{ github.event_name != 'pull_request' }}
	tags: ${{ steps.docker_meta.outputs.tags }}
	labels: ${{ steps.docker_meta.outputs.labels }}
	secrets: GIT_AUTH_TOKEN=${{ secrets.DOCKER_REGISTRY_TOKEN }}
	# Scan for vulnerabilities
	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@master
	if: ${{ github.event_name != 'pull_request' }}
	with:
	image-ref: ghcr.io/${{ github.repository_owner }}/launchpad:${{ github.ref_name }}
	format: 'sarif'
	output: 'trivy-results.sarif'
	severity: 'CRITICAL,HIGH'
	limit-severities-for-sarif: true
	ignore-unfixed: true

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v3
	if: ${{ github.event_name != 'pull_request' }}
	with:
	sarif_file: 'trivy-results.sarif'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Improve vulnerabiltiy scanning #326

Workflow file

Improve vulnerabiltiy scanning #326

Jobs

Run details

Workflow file for this run