From 12a904afdd9b94a5df9519f6d1a46fb953a42484 Mon Sep 17 00:00:00 2001 From: Mark Sagi-Kazar Date: Wed, 26 Jan 2022 15:38:31 +0100 Subject: [PATCH] ci: run trivy scan on container image Signed-off-by: Mark Sagi-Kazar --- .github/workflows/docker.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml index 26c7a334..36e447bd 100644 --- a/.github/workflows/docker.yaml +++ b/.github/workflows/docker.yaml @@ -92,3 +92,18 @@ jobs: org.opencontainers.image.revision=${{ github.sha }} org.opencontainers.image.licenses=${{ github.event.repository.license.spdx_id }} org.opencontainers.image.documentation=https://dexidp.io/docs/ + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.2.1 + with: + image-ref: "ghcr.io/dexidp/dex:${{ steps.tags.outputs.version }}" + format: "template" + template: "@/contrib/sarif.tpl" + output: "trivy-results.sarif" + if: github.event_name == 'push' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: "trivy-results.sarif" + if: github.event_name == 'push'