Skip to content

Set Trivy container image scan to output to Code Scanning #242

Set Trivy container image scan to output to Code Scanning

Set Trivy container image scan to output to Code Scanning #242

name: build and push image (Alpine version)
on:
push:
branches:
- "master"
paths:
- Dockerfile
- .github/workflows/docker-build-alpine.yml
- renew*.py
- requirements.txt
env:
IMAGE_NAME: "simaofsilva/noip-renewer"
PIP_VERSION: "23.3.1" # renovate: datasource=pypi depName=pip versioning=pep440
jobs:
build_alpine:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4.1.1
- name: Get commit short hash
id: short_digest
run: echo "shortsha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
- name: Build image for tests
uses: docker/build-push-action@v5.0.0
with:
context: .
platforms: linux/amd64
load: true
tags: ${{ env.IMAGE_NAME }}:test-alpine
file: Dockerfile
build-args: |
PIP_VERSION=${{ env.PIP_VERSION }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.IMAGE_NAME }}:test-alpine
format: "table"
exit-code: "1"
ignore-unfixed: true
vuln-type: "os,library"
severity: "MEDIUM,HIGH,CRITICAL"
skip-files: "/usr/bin/geckodriver,/usr/local/bin/geckodriver"
- name: Upload Trivy scan results to GitHub Security
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
# Path to SARIF file relative to the root of the repository
sarif_file: trivy-alpine-image-scan.sarif
# Optional category for the results
# Used to differentiate multiple results for one commit
category: alpine-image-scan
- name: Set up QEMU
uses: docker/setup-qemu-action@v3.0.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3.0.0
- name: Login to DockerHub
uses: docker/login-action@v3.0.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build and push for Docker Hub
id: docker_build
uses: docker/build-push-action@v5.0.0
with:
context: .
platforms: linux/amd64,linux/arm64/v8
push: true
tags: |
${{ env.IMAGE_NAME }}:${{ steps.short_digest.outputs.shortsha }}-alpine
${{ env.IMAGE_NAME }}:alpine
${{ env.IMAGE_NAME }}:latest
file: Dockerfile
build-args: |
PIP_VERSION=${{ env.PIP_VERSION }}
# delete_old_runs:
# runs-on: ubuntu-latest
# steps:
# - name: Delete workflow runs
# uses: Mattraks/delete-workflow-runs@v2.0.3
# with:
# token: ${{ github.token }}
# repository: ${{ github.repository }}
# retain_days: 15
# keep_minimum_runs: 5