Add trivy vulnerability scanner in build step

Signed-off-by: Thomas Ferrandiz <thomas.ferrandiz@suse.com>
2025-09-01 17:09:45 +00:00 · 2024-12-12 09:48:22 +00:00
parent e156e815ad
commit 51752f1a6e
1 changed files with 19 additions and 3 deletions
--- a/.github/workflows/image-build.yml
+++ b/.github/workflows/image-build.yml
@@ -13,7 +13,7 @@ jobs:

      # note: disable sbom/provenance for now (gchr.io does not managed well yet)
      - name: Build container image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
        with:
          context: .
          push: false
@@ -25,7 +25,7 @@ jobs:

      # note: disable sbom/provenance for now (gchr.io does not managed well yet)
      - name: Build container debug image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
        with:
          context: .
          push: false
@@ -46,7 +46,7 @@ jobs:
        uses: docker/setup-buildx-action@v3

      - name: Build container image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
        with:
          context: .
          push: false
@@ -56,6 +56,22 @@ jobs:
          sbom: false
          provenance: false

+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.29.0
+        with:
+          image-ref: ghcr.io/${{ github.repository }}:latest-thick
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+
  build-origin:
    name: Image build/origin
    runs-on: ubuntu-latest