Scan Docker Image #121
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Scan Docker Image | |
on: | |
workflow_dispatch: | |
schedule: | |
# every monday at 10:00 UTC | |
- cron: "0 10 * * 1" | |
permissions: | |
# used by trivy | |
contents: read | |
packages: read | |
security-events: write | |
jobs: | |
scan-docker-image: | |
name: Scan Docker Image | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis | |
- name: Set up JDK 17 | |
uses: actions/setup-java@v4 | |
with: | |
java-version: '17' | |
distribution: 'temurin' | |
cache: maven | |
- name: Get Image Name | |
id: get-image-name | |
run: echo "image-name=$(mvn help:evaluate -Dexpression=image.name -q -DforceStdout)" >> $GITHUB_OUTPUT | |
- name: Scan Docker Image for Vulnerabilities | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: ${{ steps.get-image-name.outputs.image-name }} | |
format: sarif | |
output: trivy-results.sarif | |
- name: Upload Trivy Results to GitHub Security Tab | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: trivy-results.sarif |