Add Trivy code scanning

ahdis · Jan 24, 2024 · e38220e · e38220e
1 parent 1e4e25c
commit e38220e
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 4 deletions.
diff --git a/.github/workflows/googleregistry.yml b/.github/workflows/googleregistry.yml
@@ -21,6 +21,7 @@ jobs:
     permissions:
       contents: read
       id-token: write
+      security-events: write
 
     steps:
       - name: Checkout
@@ -65,3 +66,19 @@ jobs:
             --platform=linux/arm64,linux/amd64 \
             -f matchbox-server/Dockerfile \
             matchbox-server
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: '${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REPOSITORY }}/${{ env.IMAGE }}:${{ github.ref_name }}'
+          format: 'sarif'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/codeql_java.yml → .github/workflows/security.yml b/.github/workflows/codeql_java.yml → .github/workflows/security.yml
@@ -1,7 +1,7 @@
 # This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time
 # For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven
 
-name: CodeQL Java
+name: Security checks
 
 on:
   push:
@@ -12,8 +12,8 @@ on:
     - cron: '0 8 * * 1'
 
 jobs:
-  build:
-    name: Analyze the Java code
+  codeql:
+    name: Analyze the Java code with CodeQL
     runs-on: ubuntu-latest
     permissions:
       actions: read
@@ -29,7 +29,7 @@ jobs:
       - name: Checkout the repository
         uses: actions/checkout@v3
 
-      - name: Setup Java 17
+      - name: Setup Java 20
         uses: actions/setup-java@v3
         with:
           java-version: 20
@@ -55,3 +55,30 @@ jobs:
 
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v2
+
+  trivy:
+    name: Analyze the Java code with Trivy
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout the repository
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'