Skip to content

Updating the main README.md #1092

Updating the main README.md

Updating the main README.md #1092

Workflow file for this run

name: Trivy
on:
push:
branches: [ develop ]
pull_request:
branches: [ develop ]
types: [opened, synchronize, reopened, ready_for_review]
jobs:
build:
if: github.event.pull_request.draft == false
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Build
runs-on: ubuntu-22.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Build an image from Dockerfile
run: |
docker build --pull -t docker.io/securefederatedai/openfl:${{ github.sha }} -f openfl-docker/Dockerfile.base .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: 'docker.io/securefederatedai/openfl:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
env:
TRIVY_DB_REPOSITORY: 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
- name: Install Trivy
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin
- name: Run Trivy code vulnerability scanner (JSON Output)
run: |
trivy --quiet fs \
--format json \
--output trivy-code-results.json \
--ignore-unfixed \
--vuln-type os,library \
--severity CRITICAL,HIGH,MEDIUM,LOW \
--db-repository 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db' \
.
- name: Upload Code Vulnerability Scan Results
uses: actions/upload-artifact@v3
with:
name: trivy-code-report-json
path: trivy-code-results.json
- name: Run Trivy vulnerability scanner for Docker image (JSON Output)
uses: aquasecurity/[email protected]
with:
image-ref: 'docker.io/securefederatedai/openfl:${{ github.sha }}'
format: 'json'
output: 'trivy-docker-results.json'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'
env:
TRIVY_DB_REPOSITORY: 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db'
- name: Upload Docker Vulnerability Scan
uses: actions/upload-artifact@v3
with:
name: trivy-docker-report-json
path: trivy-docker-results.json
- name: Run Trivy code vulnerability scanner (SPDX-JSON Output)
run: |
trivy --quiet fs \
--format spdx-json \
--output trivy-code-spdx-results.json \
--ignore-unfixed \
--vuln-type os,library \
--severity CRITICAL,HIGH,MEDIUM,LOW \
--db-repository 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db' \
.
- name: Upload Code Vulnerability Scan Results
uses: actions/upload-artifact@v3
with:
name: trivy-code-spdx-report-json
path: trivy-code-spdx-results.json
- name: Run Trivy vulnerability scanner for Docker image (SPDX-JSON Output)
uses: aquasecurity/[email protected]
with:
image-ref: 'docker.io/securefederatedai/openfl:${{ github.sha }}'
format: 'spdx-json'
output: 'trivy-docker-spdx-results.json'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH,MEDIUM,LOW'
env:
TRIVY_DB_REPOSITORY: 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db'
- name: Upload Docker Vulnerability Scan
uses: actions/upload-artifact@v3
with:
name: trivy-docker-spdx-report-json
path: trivy-docker-spdx-results.json