From ae93e42e8e93453784ad60877dcc5c05ec394eee Mon Sep 17 00:00:00 2001 From: dfeetenby Date: Wed, 13 Nov 2024 10:45:53 +0000 Subject: [PATCH] Add fallback deb_repo Add fallback to trivy to compensate for ratelimiting errors --- .github/workflows/trivy.yml | 137 ++++++++++++++++++------------------ 1 file changed, 69 insertions(+), 68 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 6a173d3c3..d70ecf0f4 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -1,76 +1,77 @@ --- -# ------------------------------------------------------------------------------ -# https://github.com/aquasecurity/trivy -# https://github.com/aquasecurity/trivy-action#inputs -# -name: OS Security -on: - pull_request: - paths: - - Dockerfile - - Gemfile - - Gemfile.lock - - package.json - - yarn.lock + # ------------------------------------------------------------------------------ + # https://github.com/aquasecurity/trivy + # https://github.com/aquasecurity/trivy-action#inputs + # + name: OS Security + on: + pull_request: + paths: + - Dockerfile + - Gemfile + - Gemfile.lock + - package.json + - yarn.lock -permissions: - packages: write - pull-requests: write + permissions: + packages: write + pull-requests: write -env: - DOCKER_IMAGE: ghcr.io/dfe-digital/early-years-foundation-recovery - RUN_TRIVY_SCAN: true # Set to true to re-enable + env: + DOCKER_IMAGE: ghcr.io/dfe-digital/early-years-foundation-recovery + RUN_TRIVY_SCAN: true # Set to true to re-enable -jobs: - build: - name: Build and validate Docker image - runs-on: ubuntu-latest - steps: - # Checkout the repository to the GitHub Actions runner - - name: Checkout Code - uses: actions/checkout@v4 - with: - ref: ${{ github.event.pull_request.head.sha }} + jobs: + build: + name: Build and validate Docker image + runs-on: ubuntu-latest + steps: + # Checkout the repository to the GitHub Actions runner + - name: Checkout Code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} - # Create and boot Docker image builder - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - with: - version: v0.9.1 + # Create and boot Docker image builder + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + with: + version: v0.9.1 - # Login to the container registry - - name: Login to Github Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} + # Login to the container registry + - name: Login to Github Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} - # Build and push image - - name: Build and push Docker image - uses: docker/build-push-action@v6 - with: - target: app - context: . - push: true - build-args: | - BUILDKIT_INLINE_CACHE=1 - SHA=${{ github.event.pull_request.head.sha }} - cache-from: | - ${{ env.DOCKER_IMAGE }}:${{ github.event.pull_request.head.sha }} - tags: | - ${{ env.DOCKER_IMAGE }}:${{ github.event.pull_request.head.sha }} + # Build and push image + - name: Build and push Docker image + uses: docker/build-push-action@v6 + with: + target: app + context: . + push: true + build-args: | + BUILDKIT_INLINE_CACHE=1 + SHA=${{ github.event.pull_request.head.sha }} + cache-from: | + ${{ env.DOCKER_IMAGE }}:${{ github.event.pull_request.head.sha }} + tags: | + ${{ env.DOCKER_IMAGE }}:${{ github.event.pull_request.head.sha }} - # Scan image - - - name: Run Trivy vulnerability scanner - if: env.RUN_TRIVY_SCAN == 'true' - uses: aquasecurity/trivy-action@0.28.0 - with: - image-ref: ${{ env.DOCKER_IMAGE }}:${{ github.event.pull_request.head.sha }} - format: table - exit-code: 1 - ignore-unfixed: true - scanners: vuln - vuln-type: os,library - severity: CRITICAL,HIGH + # Scan image + - + name: Run Trivy vulnerability scanner + if: env.RUN_TRIVY_SCAN == 'true' + uses: aquasecurity/trivy-action@0.28.0 + with: + image-ref: ${{ env.DOCKER_IMAGE }}:${{ github.event.pull_request.head.sha }} + format: table + exit-code: 1 + ignore-unfixed: true + scanners: vuln + vuln-type: os,library + severity: CRITICAL,HIGH + version: "v0.57.1"