Merge pull request #1148 from noopurintel/develop #1087

Summary
Jobs
- Build
Run details
- Usage
- Workflow file

Workflow file for this run

	name: Trivy
	on:
	push:
	branches: [ develop ]
	pull_request:
	branches: [ develop ]
	types: [opened, synchronize, reopened, ready_for_review]
	jobs:
	build:
	if: github.event.pull_request.draft == false
	permissions:
	contents: read # for actions/checkout to fetch code
	security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
	actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
	name: Build
	runs-on: ubuntu-22.04
	steps:
	- name: Checkout code
	uses: actions/checkout@v3

	- name: Build an image from Dockerfile
	run: \|
	docker build --pull -t docker.io/securefederatedai/openfl:${{ github.sha }} -f openfl-docker/Dockerfile.base .

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/[email protected]
	with:
	image-ref: 'docker.io/securefederatedai/openfl:${{ github.sha }}'
	format: 'sarif'
	output: 'trivy-results.sarif'
	env:
	TRIVY_DB_REPOSITORY: 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db'

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v2
	with:
	sarif_file: 'trivy-results.sarif'

	- name: Install Trivy
	run: \|
	curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \| sudo sh -s -- -b /usr/local/bin

	- name: Run Trivy code vulnerability scanner (JSON Output)
	run: \|
	trivy --quiet fs \
	--format json \
	--output trivy-code-results.json \
	--ignore-unfixed \
	--vuln-type os,library \
	--severity CRITICAL,HIGH,MEDIUM,LOW \
	--db-repository 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db' \
	.

	- name: Upload Code Vulnerability Scan Results
	uses: actions/upload-artifact@v3
	with:
	name: trivy-code-report-json
	path: trivy-code-results.json

	- name: Run Trivy vulnerability scanner for Docker image (JSON Output)
	uses: aquasecurity/[email protected]
	with:
	image-ref: 'docker.io/securefederatedai/openfl:${{ github.sha }}'
	format: 'json'
	output: 'trivy-docker-results.json'
	exit-code: '1'
	ignore-unfixed: true
	vuln-type: 'os,library'
	severity: 'CRITICAL,HIGH,MEDIUM,LOW'
	env:
	TRIVY_DB_REPOSITORY: 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db'

	- name: Upload Docker Vulnerability Scan
	uses: actions/upload-artifact@v3
	with:
	name: trivy-docker-report-json
	path: trivy-docker-results.json

	- name: Run Trivy code vulnerability scanner (SPDX-JSON Output)
	run: \|
	trivy --quiet fs \
	--format spdx-json \
	--output trivy-code-spdx-results.json \
	--ignore-unfixed \
	--vuln-type os,library \
	--severity CRITICAL,HIGH,MEDIUM,LOW \
	--db-repository 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db' \
	.

	- name: Upload Code Vulnerability Scan Results
	uses: actions/upload-artifact@v3
	with:
	name: trivy-code-spdx-report-json
	path: trivy-code-spdx-results.json

	- name: Run Trivy vulnerability scanner for Docker image (SPDX-JSON Output)
	uses: aquasecurity/[email protected]
	with:
	image-ref: 'docker.io/securefederatedai/openfl:${{ github.sha }}'
	format: 'spdx-json'
	output: 'trivy-docker-spdx-results.json'
	exit-code: '1'
	ignore-unfixed: true
	vuln-type: 'os,library'
	severity: 'CRITICAL,HIGH,MEDIUM,LOW'
	env:
	TRIVY_DB_REPOSITORY: 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db'

	- name: Upload Docker Vulnerability Scan
	uses: actions/upload-artifact@v3
	with:
	name: trivy-docker-spdx-report-json
	path: trivy-docker-spdx-results.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #1148 from noopurintel/develop #1087

Workflow file

Merge pull request #1148 from noopurintel/develop #1087

Jobs

Run details

Workflow file for this run