diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml new file mode 100644 index 00000000..21f6b47c --- /dev/null +++ b/.github/workflows/trivy.yaml @@ -0,0 +1,55 @@ +name: Trivy vulnerability scanner +on: + push: + branches: + - master + pull_request: +jobs: + build: + name: Build + runs-on: ubuntu-18.04 + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Install go + uses: actions/setup-go@v2 + with: + go-version: ^1.16 + + - name: Build images from Dockerfile + run: | + make + docker build -t test/csi-snapshotter:latest -f ./cmd/csi-snapshotter/Dockerfile --output=type=docker --label revision=latest . + docker build -t test/snapshot-controller:latest -f ./cmd/snapshot-controller/Dockerfile --output=type=docker --label revision=latest . + docker build -t test/snapshot-validation-webhook:latest -f ./cmd/snapshot-validation-webhook/Dockerfile --output=type=docker --label revision=latest . + + - name: Run Trivy vulnerability scanner on csi-snapshotter image + uses: aquasecurity/trivy-action@master + with: + image-ref: 'test/csi-snapshotter:latest' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN' + + - name: Run Trivy vulnerability scanner on snapshotter-controller image + uses: aquasecurity/trivy-action@master + with: + image-ref: 'test/snapshot-controller:latest' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN' + + - name: Run Trivy vulnerability scanner on snapshot-validation-webhook image + uses: aquasecurity/trivy-action@master + with: + image-ref: 'test/snapshot-validation-webhook:latest' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'