remove / #3
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Scan image | |
on: | |
push: | |
branches: | |
- 'dsl2' | |
- 'orca-249-push-to-ghcr' | |
env: | |
# Use docker.io for Docker Hub if empty | |
REGISTRY: ghcr.io | |
IMAGE_NAME: sage-bionetowk | |
IMAGE_TAG: latest | |
# Use `latest` as the tag to compare to if empty, assuming that it's already pushed | |
COMPARE_TAG: latest | |
jobs: | |
trivy-edge: | |
name: Run Trivy vulnerability scanner | |
runs-on: ubuntu-latest | |
continue-on-error: true | |
steps: | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Extract Docker metadata | |
id: metadata | |
uses: docker/metadata-action@v4 | |
with: | |
images: ${{ env.REGISTRY }}/${{ github.repository }} | |
tags: ${{ env.IMAGE_TAG }} | |
- name: Pull the image | |
run: | | |
docker pull ${{ steps.metadata.outputs.tags }} | |
- name: Run Trivy vulnerability scanner for any major issues | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: ${{ steps.metadata.outputs.tags }} | |
ignore-unfixed: true | |
severity: 'CRITICAL,HIGH' | |
limit-severities-for-sarif: true | |
format: template | |
template: '@/contrib/sarif.tpl' | |
output: trivy-results.sarif | |
# Show all detected issues. | |
# Note this will show a lot more, including major un-fixed ones. | |
- name: Run Trivy vulnerability scanner for local output | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: ${{ steps.metadata.outputs.tags }} | |
format: table | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: trivy-results.sarif | |
category: ${{ steps.metadata.outputs.tags }} image | |
wait-for-processing: true | |
- name: Detain results for debug if needed | |
uses: actions/upload-artifact@v3 | |
with: | |
name: trivy-results.sarif | |
path: trivy-results.sarif | |
if-no-files-found: error |