Add manual trigger for rebuilding NLC images [5.2.z] #1670
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Vulnerability Scan | |
| on: | |
| schedule: | |
| - cron: '0 2 * * *' | |
| push: | |
| branches: | |
| - master | |
| pull_request: | |
| types: [ opened, synchronize, edited ] | |
| jobs: | |
| scan-oss: | |
| env: | |
| DOCKLE_HOST: "unix:///var/run/docker.sock" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v3 | |
| - name: Build OSS image | |
| run: | | |
| docker build -t hazelcast/oss:${{ github.sha }} hazelcast-oss | |
| - name: Scan OSS image by Trivy | |
| if: always() | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: hazelcast/oss:${{ github.sha }} | |
| trivy-config: .github/containerscan/trivy.yaml | |
| - name: Scan OSS image by Dockle | |
| if: always() | |
| uses: goodwithtech/dockle-action@main | |
| with: | |
| image: hazelcast/oss:${{ github.sha }} | |
| format: 'list' | |
| exit-code: '1' | |
| exit-level: 'warn' | |
| # too many false positives, we don't use credentials in Dockerfile | |
| ignore: 'CIS-DI-0010' | |
| - name: Scan OSS image by Snyk | |
| if: always() | |
| uses: snyk/actions/docker@master | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| image: hazelcast/oss:${{ github.sha }} | |
| args: --file=hazelcast-oss/Dockerfile --policy-path=.github/containerscan --severity-threshold=high --exclude-base-image-vulns | |
| scan-ee: | |
| env: | |
| DOCKLE_HOST: "unix:///var/run/docker.sock" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v3 | |
| - name: Build EE image | |
| run: | | |
| docker build -t hazelcast/ee:${{ github.sha }} hazelcast-enterprise | |
| - name: Scan EE image by Trivy | |
| if: always() | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: hazelcast/ee:${{ github.sha }} | |
| trivy-config: .github/containerscan/trivy.yaml | |
| - name: Scan EE image by Dockle | |
| if: always() | |
| uses: goodwithtech/dockle-action@main | |
| with: | |
| image: hazelcast/ee:${{ github.sha }} | |
| format: 'list' | |
| exit-code: '1' | |
| exit-level: 'warn' | |
| # too many false positives, we don't use credentials in Dockerfile | |
| ignore: 'CIS-DI-0010' | |
| - name: Scan EE image by Snyk | |
| if: always() | |
| uses: snyk/actions/docker@master | |
| env: | |
| SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
| with: | |
| image: hazelcast/ee:${{ github.sha }} | |
| args: --file=hazelcast-enterprise/Dockerfile --policy-path=.github/containerscan --severity-threshold=high --exclude-base-image-vulns |