gha: add trivy security scan (ark-network#277)

AreaLayer · Aug 23, 2024 · 1b9660e · 1b9660e
1 parent 1f8cdcc
commit 1b9660e
Showing 1 changed file with 35 additions and 0 deletions.
diff --git a/.github/workflows/ark.trivy.yaml b/.github/workflows/ark.trivy.yaml
@@ -0,0 +1,35 @@
+name: Trivy Security Scan
+
+on:
+  push:
+    branches: ["master"]
+  pull_request:
+    branches: ["master"]
+
+jobs:
+  build:
+    name: Build and Scan
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Build an image from Dockerfile
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          load: true
+          tags: ${{ github.repository }}:${{ github.sha }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: "${{ github.repository }}:${{ github.sha }}"
+          format: "table"
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH"