Trivy Analysis (indy_node:latest) #89
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Trivy Analysis (indy_node:latest) | |
| on: | |
| schedule: | |
| # run every Wednesday at 23:20 | |
| - cron: '20 23 * * 3' | |
| workflow_dispatch: | |
| jobs: | |
| workflow_setup: | |
| name: Setup variables | |
| runs-on: ubuntu-latest | |
| outputs: | |
| repo_owner: ${{ steps.repo_owner.outputs.lowercase }} | |
| steps: | |
| - name: Lowercase repo owner | |
| id: repo_owner | |
| run: echo "lowercase=$(echo ${{ github.repository_owner }} | tr \"[:upper:]\" \"[:lower:]\")" >> $GITHUB_OUTPUT | |
| shell: bash | |
| trivy_analysis: | |
| name: Trivy Analysis of Indy Node Images | |
| runs-on: "ubuntu-20.04" | |
| needs: workflow_setup | |
| strategy: | |
| matrix: | |
| os_version: [ debian10, debian11, ubuntu16, ubuntu18, ubuntu20 ] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: indy-node-version | |
| id: indy-node-version | |
| shell: bash | |
| run: | | |
| export nodeVersion=$(sed "s/~/-/" <<<$(grep -oP "indy-node=\"?\d+.\d+.\d+((~|.)?rc\d+)?\"?" build/Dockerfile.${{ matrix.os_version }} | grep -oP "\d+.\d+.\d+((~|.|-)?rc\d+)?")) | |
| echo "::debug::IndyNode Version is ${nodeVersion}" | |
| echo "::group::DEBUG" | |
| echo "IndyNode Version is ${nodeVersion}" | |
| echo "::endgroup::" | |
| echo "nodeVersion=${nodeVersion}">> $GITHUB_OUTPUT | |
| - name: Run Trivy on indy_node${{ steps.indy-node-version.outputs.nodeVersion }}:${{ matrix.os_version }} | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'ghcr.io/${{ needs.workflow_setup.outputs.repo_owner }}/indy-node-container/indy_node:${{ steps.indy-node-version.outputs.nodeVersion }}-${{ matrix.os_version }}-main' | |
| format: 'template' | |
| template: '@/contrib/sarif.tpl' | |
| output: 'trivy-indy-node-${{ steps.indy-node-version.outputs.nodeVersion }}-${{ matrix.os_version }}.sarif' | |
| ignore-unfixed: true | |
| severity: 'CRITICAL,HIGH' | |
| - name: Patch tool name for ${{ matrix.os_version }} scan | |
| run: | | |
| sed -i 's/"name": "Trivy",/"name": "Trivy${{ matrix.os_version }}Latest",/g' trivy-indy-node-${{ steps.indy-node-version.outputs.nodeVersion }}-${{ matrix.os_version }}.sarif | |
| - name: 'Safe trivy-indy-node-${{ matrix.os_version }}.sarif' | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: trivy-indy-node-${{ steps.indy-node-version.outputs.nodeVersion }}-${{ matrix.os_version }}.sarif | |
| path: trivy-indy-node-${{ steps.indy-node-version.outputs.nodeVersion }}-${{ matrix.os_version }}.sarif | |
| retention-days: 8 | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: 'trivy-indy-node-${{ steps.indy-node-version.outputs.nodeVersion }}-${{ matrix.os_version }}.sarif' | |