diff --git a/.github/workflows/image-build.yml b/.github/workflows/image-build.yml index 3ba8d608e..d0fe98450 100644 --- a/.github/workflows/image-build.yml +++ b/.github/workflows/image-build.yml @@ -13,7 +13,7 @@ jobs: # note: disable sbom/provenance for now (gchr.io does not managed well yet) - name: Build container image - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: . push: false @@ -25,7 +25,7 @@ jobs: # note: disable sbom/provenance for now (gchr.io does not managed well yet) - name: Build container debug image - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: . push: false @@ -46,7 +46,7 @@ jobs: uses: docker/setup-buildx-action@v3 - name: Build container image - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6 with: context: . push: false @@ -56,6 +56,22 @@ jobs: sbom: false provenance: false + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.29.0 + with: + image-ref: ghcr.io/${{ github.repository }}:latest-thick + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: 'trivy-results.sarif' + build-origin: name: Image build/origin runs-on: ubuntu-latest diff --git a/images/Dockerfile.thick b/images/Dockerfile.thick index 86ba7f807..01ecf6faa 100644 --- a/images/Dockerfile.thick +++ b/images/Dockerfile.thick @@ -1,9 +1,10 @@ # This Dockerfile is used to build the image available on DockerHub -FROM golang:1.23 AS build +FROM --platform=$BUILDPLATFORM golang:1.23 as build # Add everything ADD . /usr/src/multus-cni +ARG TARGETPLATFORM RUN cd /usr/src/multus-cni && \ ./hack/build-go.sh