Skip to content

Commit

Permalink
Always run all trivy scans if the build was successful
Browse files Browse the repository at this point in the history
  • Loading branch information
@jmthomas
jmthomas committed Dec 19, 2024
1 parent 9928d96 commit b473f67
Showing 1 changed file with 32 additions and 2 deletions.
34 changes: 32 additions & 2 deletions .github/workflows/trivy.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,17 +21,17 @@ jobs:
openc3-scan:
if: ${{ github.actor != 'dependabot[bot]' }}
runs-on: ubuntu-latest
strategy:
fail-fast: false
steps:
- uses: actions/checkout@v4
- name: openc3.sh build
id: build
# This `shell` line is required to get around a known issue: https://github.com/actions/runner/issues/241#issuecomment-745902718
shell: 'script -q -e -c "bash {0}"'
run: ./openc3.sh build
env:
OPENC3_TAG: ${{ github.sha }}
- name: Run Trivy on image ruby
if: steps.build.outcome == 'success'
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-ruby:${{ github.sha }}"
Expand All @@ -43,11 +43,13 @@ jobs:
scanners: "vuln"
severity: "CRITICAL,HIGH"
- name: Upload Trivy scan results
if: steps.build.outcome == 'success'
uses: github/codeql-action/upload-sarif@v3
with:
category: "openc3-ruby"
sarif_file: "trivy-ruby.sarif"
- name: Run Trivy on image node
if: steps.build.outcome == 'success'
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-node:${{ github.sha }}"
Expand All @@ -58,12 +60,16 @@ jobs:
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
# On a subsequent call to the action we know trivy is already installed so can skip this
skip-setup-trivy: true
- name: Upload Trivy scan results
if: steps.build.outcome == 'success'
uses: github/codeql-action/upload-sarif@v3
with:
category: "openc3-node"
sarif_file: "trivy-node.sarif"
- name: Run Trivy on image base
if: steps.build.outcome == 'success'
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-base:${{ github.sha }}"
Expand All @@ -74,12 +80,15 @@ jobs:
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
skip-setup-trivy: true
- name: Upload Trivy scan results
if: steps.build.outcome == 'success'
uses: github/codeql-action/upload-sarif@v3
with:
category: "openc3-base"
sarif_file: "trivy-base.sarif"
- name: Run Trivy on image cosmos-init
if: steps.build.outcome == 'success'
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-cosmos-init:${{ github.sha }}"
Expand All @@ -90,12 +99,15 @@ jobs:
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
skip-setup-trivy: true
- name: Upload Trivy scan results
if: steps.build.outcome == 'success'
uses: github/codeql-action/upload-sarif@v3
with:
category: "openc3-init"
sarif_file: "trivy-init.sarif"
- name: Run Trivy on image redis
if: steps.build.outcome == 'success'
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-redis:${{ github.sha }}"
Expand All @@ -106,12 +118,15 @@ jobs:
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
skip-setup-trivy: true
- name: Upload Trivy scan results
if: steps.build.outcome == 'success'
uses: github/codeql-action/upload-sarif@v3
with:
category: "openc3-redis"
sarif_file: "trivy-redis.sarif"
- name: Run Trivy on image minio
if: steps.build.outcome == 'success'
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-minio:${{ github.sha }}"
Expand All @@ -122,12 +137,15 @@ jobs:
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
skip-setup-trivy: true
- name: Upload Trivy scan results
if: steps.build.outcome == 'success'
uses: github/codeql-action/upload-sarif@v3
with:
category: "openc3-minio"
sarif_file: "trivy-minio.sarif"
- name: Run Trivy on image operator
if: steps.build.outcome == 'success'
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-operator:${{ github.sha }}"
Expand All @@ -138,12 +156,15 @@ jobs:
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
skip-setup-trivy: true
- name: Upload Trivy scan results
if: steps.build.outcome == 'success'
uses: github/codeql-action/upload-sarif@v3
with:
category: "openc3-operator"
sarif_file: "trivy-operator.sarif"
- name: Run Trivy on image cmd-tlm-api
if: steps.build.outcome == 'success'
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-cosmos-cmd-tlm-api:${{ github.sha }}"
Expand All @@ -154,12 +175,15 @@ jobs:
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
skip-setup-trivy: true
- name: Upload Trivy scan results
if: steps.build.outcome == 'success'
uses: github/codeql-action/upload-sarif@v3
with:
category: "openc3-cmd-tlm-api"
sarif_file: "trivy-cmd-tlm-api.sarif"
- name: Run Trivy on image script-runner-api
if: steps.build.outcome == 'success'
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-cosmos-script-runner-api:${{ github.sha }}"
Expand All @@ -170,12 +194,15 @@ jobs:
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
skip-setup-trivy: true
- name: Upload Trivy scan results
if: steps.build.outcome == 'success'
uses: github/codeql-action/upload-sarif@v3
with:
category: "openc3-script-runner-api"
sarif_file: "trivy-script-runner-api.sarif"
- name: Run Trivy on image traefik
if: steps.build.outcome == 'success'
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-traefik:${{ github.sha }}"
Expand All @@ -186,12 +213,15 @@ jobs:
vuln-type: "os,library"
scanners: "vuln"
severity: "CRITICAL,HIGH"
skip-setup-trivy: true
- name: Upload Trivy scan results
if: steps.build.outcome == 'success'
uses: github/codeql-action/upload-sarif@v3
with:
category: "openc3-traefik"
sarif_file: "trivy-traefik.sarif"
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots
if: steps.build.outcome == 'success'
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
Expand Down

0 comments on commit b473f67

Please sign in to comment.