trivy.yml

name: Trivy

on:
  pull_request:
    branches:
      - develop

jobs:
  scan:
    name: Vulnerability Scan
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4.1.4

      - name: Build -opensource and cloud- Docker images
        run: |
          docker build -f docker/Dockerfile-production-cloud -t docker.io/gisaia/arlas-wui-cloud:${{ github.sha }} .
          docker build -f docker/Dockerfile-production-opensource -t docker.io/gisaia/arlas-wui:${{ github.sha }} .
      - name: Run Trivy vulnerability scanner on opensource image
        uses: aquasecurity/trivy-action@master
        env:
          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
        with:
          image-ref: "docker.io/gisaia/arlas-wui:${{ github.sha }}"
          format: "table"
          exit-code: "1"
          ignore-unfixed: true
          vuln-type: "os,library"
          severity: "CRITICAL,HIGH"
          trivyignores: .github/workflows/.trivyignore
      - name: Run Trivy vulnerability scanner on cloud image
        uses: aquasecurity/trivy-action@master
        env:
          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
        with:
          image-ref: "docker.io/gisaia/arlas-wui-cloud:${{ github.sha }}"
          format: "table"
          exit-code: "1"
          ignore-unfixed: true
          vuln-type: "os,library"
          severity: "CRITICAL,HIGH"
          trivyignores: .github/workflows/.trivyignore