ci: upgrade workflow actions version

ci: add trivy workflow
gisaia · Dec 12, 2024 · cf9c00f · cf9c00f
1 parent ba1f916
commit cf9c00f
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 3 deletions.
diff --git a/.github/workflows/.trivyignore b/.github/workflows/.trivyignore
@@ -0,0 +1 @@
+
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -8,16 +8,16 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4.1.4
 
       - name: Use Node 16
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: 16
 
       - name: Cache node modules
         id: cache-nodemodules
-        uses: actions/cache@v3
+        uses: actions/cache@v4.0.2
         with:
           path: ~/.npm
           key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -0,0 +1,30 @@
+name: Trivy
+
+on:
+  pull_request:
+    branches:
+      - develop
+
+jobs:
+  scan:
+    name: Vulnerability Scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/[email protected]
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker build -t docker.io/gisaia/arlas-wui-iam:${{ github.sha }} .
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+        with:
+          image-ref: "docker.io/gisaia/arlas-wui-iam:${{ github.sha }}"
+          format: "table"
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH"
+          trivyignores: .github/workflows/.trivyignore