Scan images and upload results before pushing them (#132)

2025-06-02 23:10:16 +00:00 · 2024-07-18 10:07:35 +02:00 · 2024-07-18 10:07:35 +02:00 · 70ca78cb05
commit 70ca78cb05
parent 4d3926cc71
2 changed files with 55 additions and 1 deletions
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@ -61,4 +61,3 @@ jobs:
        with:
            comment_tag: bot-comment
            filePath: pr-message
-
--- a/.github/workflows/reusable-build.yaml
+++ b/.github/workflows/reusable-build.yaml
@ -62,6 +62,61 @@ jobs:
          echo "lables: ${{ steps.meta.outputs.labels }}"
          echo "tags: ${{ steps.meta.outputs.tags }}"
          echo "version: ${{ steps.meta.outputs.version }}"
+      # Build amd64 image to scan for vulnerabilities
+      - name: Build framework
+        uses: docker/build-push-action@v6
+        with:
+          load: true
+          sbom: false
+          platforms: linux/amd64
+          push: false
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          target: final
+          build-args: |
+            SECURITY_PROFILE=${{ inputs.security_profile }}
+      - name: Run Trivy vulnerability scanner on PR
+        if: ${{ github.event_name == 'pull_request' }}
+        uses: aquasecurity/trivy-action@0.20.0
+        with:
+          image-ref: ${{ steps.meta.outputs.tags }}
+          exit-code: '1'
+          format: 'table'
+          severity: 'CRITICAL'
+      - name: Run Grype vulnerability scanner on PR
+        if: ${{ github.event_name == 'pull_request' }}
+        uses: anchore/scan-action@v3
+        with:
+          image: ${{ steps.meta.outputs.tags }}
+          severity-cutoff: critical
+          output-format: 'table'
+          fail-build: true
+      - name: Run Trivy vulnerability scanner on push
+        if: ${{ github.event_name == 'push' }}
+        uses: aquasecurity/trivy-action@0.20.0
+        with:
+          image-ref: ${{ steps.meta.outputs.tags }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+      - name: Run Grype vulnerability scanner on push
+        if: ${{ github.event_name == 'push' }}
+        id: grype
+        uses: anchore/scan-action@v3
+        with:
+          image: ${{ steps.meta.outputs.tags }}
+          severity-cutoff: critical
+          output-format: 'sarif'
+          fail-build: false
+      - name: Upload Trivy scan results to GitHub Security tab
+        if: ${{ github.event_name == 'push' }}
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+      - name: Upload Grype scan results to GitHub Security tab
+        if: ${{ github.event_name == 'push' }}
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.grype.outputs.sarif }}
      - name: Build and push framework
        uses: docker/build-push-action@v6
        with: