-
Notifications
You must be signed in to change notification settings - Fork 0
80 lines (78 loc) · 2.14 KB
/
trivy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
---
# ------------------------------------------------------------------------------
# https://github.com/aquasecurity/trivy
# https://github.com/aquasecurity/trivy-action#inputs
#
# Build image:
# ghcr.io/dfe-digital/early-years-foundation-recovery:latest
#
name: OS Security
on:
push:
paths:
- Dockerfile
- Gemfile
- Gemfile.lock
- package.json
- yarn.lock
env:
REGISTRY: ghcr.io/dfe-digital/early-years-foundation-recovery
jobs:
build:
name: Build and validate Docker image
runs-on: ubuntu-latest
steps:
-
name: Checkout Code
uses: actions/checkout@v4
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
platforms: linux/amd64,linux/arm64
-
name: Login to Github Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
-
name: Build and push Docker image (dependencies)
uses: docker/build-push-action@v6
with:
target: deps
context: .
push: true
build-args: |
BUILDKIT_INLINE_CACHE=1
SHA=${{ github.sha }}
cache-from: |
${{ env.REGISTRY }}:deps
tags: |
${{ env.REGISTRY }}:deps
-
name: Build and push Docker image (application)
uses: docker/build-push-action@v6
with:
target: app
context: .
push: true
build-args: |
BUILDKIT_INLINE_CACHE=1
SHA=${{ github.sha }}
cache-from: |
${{ env.REGISTRY }}:${{ github.sha }}
${{ env.REGISTRY }}:latest
tags: |
${{ env.REGISTRY }}:${{ github.sha }}
-
name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: ${{ env.REGISTRY }}:${{ github.sha }}
format: table
exit-code: 1
ignore-unfixed: true
vuln-type: os,library
severity: CRITICAL,HIGH