Container Security Scan #4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright AGNTCY Contributors (https://github.com/agntcy) | |
| # SPDX-License-Identifier: Apache-2.0 | |
| name: Container Security Scan | |
| on: | |
| schedule: | |
| - cron: "0 3 * * *" | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| packages: read | |
| jobs: | |
| trivy-scan: | |
| name: Trivy Image Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Log in to GHCR | |
| uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Pull image | |
| run: | | |
| set -euo pipefail | |
| docker pull ghcr.io/agntcy/oasf-sdk:latest | |
| docker image inspect ghcr.io/agntcy/oasf-sdk:latest >/dev/null 2>&1 | |
| - name: Run Trivy vulnerability scan | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 | |
| with: | |
| image-ref: ghcr.io/agntcy/oasf-sdk:latest | |
| format: sarif | |
| output: trivy-results.sarif | |
| vuln-type: "os,library" | |
| severity: "CRITICAL,HIGH,MEDIUM" | |
| ignore-unfixed: true | |
| - name: Upload SARIF | |
| uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 | |
| with: | |
| sarif_file: trivy-results.sarif | |
| category: trivy | |
| - name: Upload raw report artifact | |
| uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
| with: | |
| name: trivy-report | |
| path: trivy-results.sarif | |
| retention-days: 7 | |
| - name: Fail on critical vulnerabilities | |
| run: | | |
| critical_count=$(grep -c '"level": "error"' trivy-results.sarif || true) | |
| if [ "${critical_count}" != "0" ]; then | |
| echo "::warning::Critical vulnerabilities detected in container image." | |
| fi |