Add dependabot configuration and trivy scans (#2262)

* Add Dependabot configuration * Add vulnerability scan step for the AWS ECR images
onaio · Jun 16, 2022 · 03104d0 · 03104d0
2 parents 5d02703 + 3b45f05
commit 03104d0
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 1 deletion.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,13 @@
+version: 2
+updates:
+  - package-ecosystem: pip
+    directory: /requirements
+    schedule:
+      interval: daily
+    open-pull-requests-limit: 5
+    commit-message:
+      prefix: requirements
+    reviewers:
+      - "ukanga"
+      - "KipSigei"
+      - "DavisRayM"
diff --git a/.github/workflows/ecr-image-build.yml b/.github/workflows/ecr-image-build.yml
@@ -15,7 +15,7 @@ on:
               default: ''
 
 jobs:
-  main:
+  build:
     runs-on: ubuntu-20.04
     steps:
       - name: Checkout
@@ -75,3 +75,16 @@ jobs:
 
       - name: Image digest
         run: echo ${{ steps.docker-build.outputs.digest }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ steps.login-ecr.outputs.registry }}/onaio/onadata:${{ github.event.inputs.versionTag || steps.get-version.outputs.VERSION || steps.get-branch-name.outputs.BRANCH }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan result to Github security lab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: 'trivy-results.sarif'
+