Skip to content
CI

Claude/add trivy scanning h0 thn #10

Sign in to view logs

Claude/add trivy scanning h0 thn

Claude/add trivy scanning h0 thn #10

Workflow file for this run

.github/workflows/ci.yaml at f269999
name: CI
on:
pull_request:
branches: [main]
permissions:
contents: read
pull-requests: read
jobs:
commitlint:
name: Lint commit messages
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: wagoid/commitlint-github-action@v6
hadolint:
name: Lint Containerfile
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: Containerfile
build:
name: Build and scan
runs-on: ubuntu-latest
needs: [hadolint]
steps:
- uses: actions/checkout@v4
- name: Install yq
run: |
sudo curl -sSL -o /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/download/v4.45.4/yq_linux_amd64"
sudo chmod +x /usr/local/bin/yq
- name: Build image
run: |
BUILD_ARGS=""
for arg in $(yq e '.build.args[]' manifest.yaml); do
BUILD_ARGS="${BUILD_ARGS} --build-arg ${arg}"
done
# shellcheck disable=SC2086
docker build -f Containerfile ${BUILD_ARGS} -t test-build .
- name: Install Dive
run: |
DIVE_VERSION=0.12.0
curl -sSL -o /tmp/dive.deb "https://github.com/wagoodman/dive/releases/download/v${DIVE_VERSION}/dive_${DIVE_VERSION}_linux_amd64.deb"
sudo apt install -y /tmp/dive.deb
rm /tmp/dive.deb
- name: Dive filesystem scan
run: dive --ci --source=docker test-build
- name: Cache Trivy vulnerability DB
uses: actions/cache@v4
with:
path: ~/.cache/trivy
key: trivy-db-${{ runner.os }}-${{ github.run_id }}
restore-keys: |
trivy-db-${{ runner.os }}-
- name: Trivy vulnerability scan
uses: aquasecurity/trivy-action@0.24.0
with:
image-ref: test-build
severity: 'HIGH,CRITICAL'
exit-code: '1'