Add trivy scanner #7
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and test Package | |
| on: | |
| push: | |
| schedule: | |
| - cron: '30 5 * * *' | |
| workflow_dispatch: | |
| inputs: | |
| ref: | |
| description: "Commit hash" | |
| default: "" | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| container: amazonlinux:2 | |
| strategy: | |
| matrix: | |
| build_type: [debug, relwithdebinfo] | |
| steps: | |
| - name: Set up Dev Environment | |
| run: | | |
| yum groupinstall -y "Development Tools" | |
| yum install -y cmake3 valgrind git | |
| - uses: actions/checkout@v3 | |
| with: | |
| ref: ${{inputs.ref}} | |
| - name: Build and Test | |
| run: | | |
| cmake3 -S . -B build -DCMAKE_BUILD_TYPE=${{matrix.build_type}} | |
| cd build | |
| make package | |
| make test | |
| - name: Generate Trivy vulnerability scan report | |
| uses: aquasecurity/[email protected] | |
| if: inputs.publish_vulnerabilities == 'true' | |
| with: | |
| scan-type: 'fs' | |
| format: 'sarif' | |
| exit-code: '0' | |
| ignore-unfixed: true | |
| severity: 'CRITICAL,HIGH' | |
| output: 'trivy-results.sarif' | |
| hide-progress: true | |
| - name: Upload Trivy scan report to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v2 | |
| if: inputs.publish_vulnerabilities == 'true' | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| - name: Test with Trivy vulnerability scanner | |
| uses: aquasecurity/[email protected] | |
| with: | |
| scan-type: 'fs' | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| severity: 'CRITICAL' | |
| hide-progress: true |