Merge pull request #2 from axoflow/feat-trivy

feat(ci): add trivy image scan
axoflow · Feb 14, 2024 · 74e1725 · 74e1725
2 parents e3710fd + b70f9cc
commit 74e1725
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 3 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -10,6 +10,7 @@ jobs:
       id-token: write
       packages: write
       contents: write
+      security-events: write
 
     strategy:
       matrix:
@@ -49,6 +50,7 @@ jobs:
           echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
 
       - uses: goreleaser/goreleaser-action@v5
+        id: goreleaser-action
         with:
           distribution: goreleaser
           version: v1.24.0
@@ -62,3 +64,33 @@ jobs:
         with:
           name: all-artifacts
           path: dist/*/*
+
+      - name: Install jq
+        run: sudo apt-get install -y jq
+
+      - name: Extract Docker image with digest
+        id: image-with-digest
+        shell: bash
+        run: |
+         echo '${{ steps.goreleaser-action.outputs.artifacts }}' >> output-artifacts.json
+         DOCKER_IMAGE=$(jq -r '.[] | select(.type == "Docker Manifest" and (.path | test(":[0-9]+"))) | "\(.path)@\(.extra.Digest)"' ./output-artifacts.json)
+         echo "DOCKER_IMAGE=$DOCKER_IMAGE" >> "$GITHUB_OUTPUT"
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: ${{ steps.image-with-digest.outputs.DOCKER_IMAGE }}
+          format: sarif
+          output: trivy-results.sarif
+
+      - name: Upload Trivy scan results as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: "[${{ github.job }}] Trivy scan results"
+          path: trivy-results.sarif
+          retention-days: 5
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-results.sarif
diff --git a/cmd/goreleaser/internal/configure.go b/cmd/goreleaser/internal/configure.go
@@ -43,9 +43,8 @@ func Generate(imagePrefixes []string, dists []string) config.Project {
 			NameTemplate: "{{ .ProjectName }}_checksums.txt",
 		},
 
-		Builds:   Builds(dists),
-		Archives: Archives(dists),
-		//NFPMs:           Packages(dists),
+		Builds:          Builds(dists),
+		Archives:        Archives(dists),
 		Dockers:         DockerImages(imagePrefixes, dists),
 		DockerManifests: DockerManifests(imagePrefixes, dists),
 	}