Merge pull request #13 from ropable/develop

Update GitHub build workflow with vulnerability scan
dbca-wa · Oct 9, 2024 · 2fab771 · 2fab771
2 parents 620055e + 0d0ca43
commit 2fab771
Showing 1 changed file with 17 additions and 2 deletions.
diff --git a/.github/workflows/dbca_build.yml b/.github/workflows/dbca_build.yml
@@ -15,11 +15,12 @@ env:
    IMAGE_NAME: ${{ github.repository }}
 
 jobs: 
-   build-and-push-image:
+  build-and-push-image:
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
+      security-events: write
     steps:
     -  name: Checkout
        uses: actions/checkout@v4
@@ -87,4 +88,18 @@ jobs:
          push: true
          tags: ${{ steps.meta_ckan_worker.outputs.tags }}
          build-args: CKAN_IMAGE=${{ steps.meta_ckan.outputs.tags }}
-
+
+    - name: Run Trivy vuln scanner on CKAN image
+      uses: aquasecurity/trivy-action@0.26.0
+      with:
+        scan-type: 'image'
+        image-ref: ${{ steps.meta_ckan.outputs.tags }}
+        vuln-type: 'os,library'
+        severity: 'HIGH,CRITICAL'
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: 'trivy-results.sarif'