Update docker-build.yml

aneisch · Jul 22, 2024 · 00edd38 · 00edd38
1 parent d3445a2
commit 00edd38
Showing 1 changed file with 12 additions and 6 deletions.
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -23,11 +23,17 @@ jobs:
       - name: Attempt Build
         run: docker build . --file Dockerfile -t $IMAGE_NAME
 
-      - name: Assess Vulnerability
-        uses: Azure/container-scan@v0
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
         with:
-          image-name: ${{ env.IMAGE_NAME }}
-          run-quality-checks: false
+          image-ref: '$IMAGE_NAME'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
 
       - name: Log into Registry
         run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
@@ -48,7 +54,7 @@ jobs:
           docker tag $IMAGE_NAME $IMAGE_ID:$VERSION
           docker push $IMAGE_ID:$VERSION
 
-  build_assess_push_multiarch:
+  build_multiarch:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
@@ -74,4 +80,4 @@ jobs:
           tags: ghcr.io/aneisch/thermostat_api_server:latest-arm64
           platforms: linux/arm64/v8
           cache-from: type=local,src=/tmp/.buildx-cache
-          cache-to: type=local,dest=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache