ci: add trivy

tristiisch · Sep 30, 2024 · 58bb655 · 58bb655
1 parent 9ecab71
commit 58bb655
Showing 1 changed file with 58 additions and 8 deletions.
diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
@@ -205,22 +205,72 @@ jobs:
           provenance: mode=max
           build-args: |
             PROJECT_VERSION=${{ needs.info.outputs.project_version }}
-          outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
+          outputs: |
+            type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
+            type=tar,dest=./pyramid.tar
 
-      - name: Export digest
+      - name: Export image digest
         run: |
           mkdir -p /tmp/digests
           digest="${{ steps.build.outputs.digest }}"
           touch "/tmp/digests/${digest#sha256:}"
 
-      - name: Upload digest
+      - name: Upload image digest as artifact
         uses: actions/upload-artifact@v4
         with:
           name: digests-${{ env.PLATFORM_PAIR }}
           path: /tmp/digests/*
           if-no-files-found: error
           retention-days: 1
 
+      - name: Upload image as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: image-${{ env.PLATFORM_PAIR }}
+          path: ./pyramid.tar
+          if-no-files-found: error
+          retention-days: 1
+
+  security_scanner:
+    name: "Security scan"
+    needs: ["docker_image_build"]
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        platform:
+          - linux/amd64
+          - linux/arm64
+
+    steps:
+      - name: Prepare
+        run: |
+          platform=${{ matrix.platform }}
+          echo "platform_pair=${platform//\//-}" >> $GITHUB_OUTPUT
+        id: prepare
+
+      - name: Download tests image
+        uses: actions/download-artifact@v4
+        with:
+          name: image-${{ steps.prepare.outputs.platform_pair }}
+
+    #   - name: Load Docker image
+    #     run: |
+    #         loaded_image=$(docker load -i "./pyramid.tar" | grep -oP '(?<=Loaded image: ).*')
+    #         echo "image_with_tag=$loaded_image" >> $GITHUB_OUTPUT
+    #     id: docker_load_image
+
+    #   - name: Verify loaded image
+    #     run: |
+    #       echo "Loaded image tag: ${{ steps.docker_load_image.outputs.image_with_tag }}"
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action
+        with:
+          input: './pyramid.tar'
+          format: 'github'
+          github-pat: '${{ secrets.GITHUB_TOKEN }}'
+
   docker_image_test_build:
     name: "Build Tests"
     needs: ["info", "docker_image_build"]
@@ -254,13 +304,13 @@ jobs:
           push: false
           outputs: type=docker
 
-      - name: Export digest
+      - name: Export tests image
         run: docker save pyramid:tests -o "./pyramid-tests.tar"
 
-      - name: Upload digest
+      - name: Upload tests image as artifact
         uses: actions/upload-artifact@v4
         with:
-          name: digests-tests
+          name: image-tests
           path: ./pyramid-tests.tar
           if-no-files-found: error
           retention-days: 1
@@ -271,10 +321,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Download test digests
+      - name: Download tests image
         uses: actions/download-artifact@v4
         with:
-          name: digests-tests
+          name: image-tests
 
       - name: Load Docker image
         run: docker load -i "./pyramid-tests.tar"