Skip to content
Security analysis

Security analysis #823

Sign in to view logs

Security analysis

Security analysis #823

Workflow file for this run

.github/workflows/security-analysis.yml at aea12a1
name: Security analysis
on:
push:
branches:
- main
pull_request:
schedule:
- cron: '0 0 * * 1'
jobs:
security-analysis:
name: Trivy scan
runs-on: ubuntu-latest
env:
CACHE_PATH: ${{ github.workspace }}/.buildx-cache
steps:
- name: Checkout repository
if: github.event_name != 'schedule'
uses: actions/checkout@v4
- name: Set up QEMU
if: github.event_name != 'schedule'
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
if: github.event_name != 'schedule'
uses: docker/setup-buildx-action@v3
- name: Cache Docker layers
if: github.event_name != 'schedule'
uses: actions/cache@v4
with:
path: ${{ env.CACHE_PATH }}
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Build docker-salt-master image
if: github.event_name != 'schedule'
uses: docker/build-push-action@v5.3.0
with:
context: .
file: ./Dockerfile
cache-from: |
type=local,src=${{ env.CACHE_PATH }}
ghcr.io/cdalvaro/docker-salt-master:latest
cache-to: type=local,dest=${{ env.CACHE_PATH }}
pull: true
load: true
tags: ghcr.io/cdalvaro/docker-salt-master:${{ github.sha }}
- name: Download and tag latest image
if: github.event_name == 'schedule'
run: |
docker pull ghcr.io/cdalvaro/docker-salt-master:latest
docker tag ghcr.io/cdalvaro/docker-salt-master:latest ghcr.io/cdalvaro/docker-salt-master:${{ github.sha }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/cdalvaro/docker-salt-master:${{ github.sha }}'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'