Vulnerability Scan #552

Summary
Jobs
- scan
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/trivy-scan.yml at 48db65a

	name: Vulnerability Scan

	on:
	schedule:
	# run every night at 4:00 AM (UTC)
	- cron: '0 4 * * *'
	# enable running the workflow manually
	workflow_dispatch:

	jobs:
	scan:
	runs-on: ubuntu-latest

	steps:
	- name: Checkout code
	uses: actions/checkout@v3

	- name: Set up Maven
	uses: stCarolas/[email protected]
	with:
	maven-version: 3.8.6

	- name: Set up JDK
	uses: actions/setup-java@v3
	with:
	distribution: "temurin"
	java-version: "17"
	cache: "maven"

	- name: Create hawkBit container images
	run: \|
	mvn clean install -DskipTests && \
	cd hawkbit-runtime/docker/docker_build && \
	chmod +x build_all_dev.sh && \
	./build_all_dev.sh && \
	cd ../../..

	- name: Determine most recent Trivy version
	run: \|
	echo "TRIVY_VERSION=$(wget -qO - 'https://api.github.com/repos/aquasecurity/trivy/releases/latest' \| \
	grep '\"tag_name\":' \| sed -E 's/.\"v([^\"]+)\"./\1/')" >> $GITHUB_ENV

	- name: Install Trivy
	run: \|
	wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz -O - \| tar -zxvf -

	- name: Scan Docker images
	run: \|
	mkdir -p scans/eclipse/hawkbit
	for IMAGE in $(docker image ls --format "{{.Repository}}:{{.Tag}}" "hawkbit/hawkbit-*:latest"); do
	echo "Scanning image ${IMAGE} ..."
	./trivy image "${IMAGE}" --ignore-unfixed --ignorefile .github/workflows/.trivyignore --severity HIGH,CRITICAL --vuln-type library --output "scans/eclipse/$IMAGE.sarif" --format sarif
	done

	- name: Upload Docker image scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v2
	with:
	sarif_file: 'scans/eclipse/hawkbit'
	category: "Container Images"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Vulnerability Scan #552

Workflow file

Vulnerability Scan #552

Jobs

Run details

Workflow file for this run