diff --git a/.github/actions/security-scans/action.yml b/.github/actions/security-scans/action.yml index cbbe1078..74b7e1f1 100644 --- a/.github/actions/security-scans/action.yml +++ b/.github/actions/security-scans/action.yml @@ -62,3 +62,28 @@ runs: if: ${{ steps.snyk.outcome == 'success' }} with: sarif_file: snyk.sarif + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.33.1 + id: trivy + continue-on-error: true + with: + version: 'latest' + image-ref: '${{ inputs.image }}' + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v4 + if: ${{ steps.trivy.outcome == 'success' }} + with: + sarif_file: 'trivy-results.sarif' + + - name: Review Security checks + if: | + steps.snyk.outcome != 'success' && + steps.trivy.outcome != 'success' + shell: bash + run: | + echo "None of the security checks succeeded (Snyk and Trivy)" + exit 1 diff --git a/.github/workflows/bake_targets.yml b/.github/workflows/bake_targets.yml index 84d44e08..c6ba6673 100644 --- a/.github/workflows/bake_targets.yml +++ b/.github/workflows/bake_targets.yml @@ -39,7 +39,7 @@ jobs: testbuild: # Start by building images for testing. We want to run security checks before pushing those to production. name: PostgreSQL ${{ inputs.postgresql_version }} - runs-on: ubuntu-24.04 + runs-on: ubuntu-latest-16-cores permissions: contents: read packages: write @@ -130,7 +130,7 @@ jobs: security: name: Security checks - runs-on: ubuntu-latest + runs-on: ubuntu-latest-4-cores permissions: contents: read packages: read @@ -145,7 +145,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - name: Security checks - uses: cloudnative-pg/postgres-containers/.github/actions/security-scans@main + uses: ./.github/actions/security-scans/ with: image: "${{ matrix.image }}" registry_user: ${{ github.actor }}