Merge pull request #72 from ba-st/security_scanning_improvements

Security scanning improvements
ba-st · Apr 26, 2024 · 3611d90 · 3611d90
2 parents 5e77dea + a7ac12d
commit 3611d90
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 1 deletion.
diff --git a/.github/workflows/docker-build-gs64.yml b/.github/workflows/docker-build-gs64.yml
@@ -9,6 +9,9 @@ on:
   pull_request:
 jobs:
    build_and_publish:
+    permissions:
+      contents: read
+      security-events: write
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
@@ -42,3 +45,20 @@ jobs:
           tags: ${{ steps.docker_meta.outputs.tags }}
           labels: ${{ steps.docker_meta.outputs.labels }}
           secrets: GIT_AUTH_TOKEN=${{ secrets.DOCKER_REGISTRY_TOKEN }}
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        if: ${{ github.event_name != 'pull_request' && matrix.version == '3.7.1' }}
+        with:
+          image-ref: ghcr.io/${{ github.repository_owner }}/launchpad-gs64-${{ matrix.version }}:${{ github.ref_name }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          limit-severities-for-sarif: true
+          ignore-unfixed: true
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: ${{ github.event_name != 'pull_request' && matrix.version == '3.7.1' }}
+        with:
+          sarif_file: 'trivy-results.sarif'
+          category: ghcr.io/${{ github.repository_owner }}/launchpad-gs64-${{ matrix.version }}:${{ github.ref_name }}
+
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -50,9 +50,9 @@ jobs:
           severity: 'CRITICAL,HIGH'
           limit-severities-for-sarif: true
           ignore-unfixed: true
-
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
         if: ${{ github.event_name != 'pull_request' }}
         with:
           sarif_file: 'trivy-results.sarif'
+          category: ghcr.io/${{ github.repository_owner }}/launchpad:${{ github.ref_name }}
diff --git a/.github/workflows/scheduled-security-scan.yml b/.github/workflows/scheduled-security-scan.yml
@@ -34,3 +34,4 @@ jobs:
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: 'trivy-results.sarif'
+          category: ghcr.io/${{ github.repository_owner }}/${{ matrix.package }}:${{ matrix.version}}