-
Notifications
You must be signed in to change notification settings - Fork 0
68 lines (62 loc) · 2.14 KB
/
build-and-scan-PR-container.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
name: build and scan PR container
on:
pull_request:
jobs:
build:
name: Build PR image
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: create maven settings.xml
uses: s4u/[email protected]
with:
servers: |
[{
"id":"github-clearinghouse",
"username": "${{github.actor}}",
"password": "${{ secrets.GITHUB_TOKEN }}"
},
{
"id":"github-crypt4gh",
"username": "${{github.actor}}",
"password": "${{ secrets.GITHUB_TOKEN }}"
}]
- name: Copy settings.xml to project root
shell: bash
run: cp /home/runner/.m2/settings.xml ./settings.xml
- name: Log in to the Github Container registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build container
uses: docker/build-push-action@v4
with:
context: .
file: ./Dockerfile
push: true
tags: |
ghcr.io/${{ github.repository }}:PR${{ github.event.number }}
ghcr.io/${{ github.repository }}:sha-${{ github.sha }}
labels: |
org.opencontainers.image.source=${{ github.event.repository.clone_url }}
org.opencontainers.image.created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')
org.opencontainers.image.revision=${{ github.sha }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f
with:
image-ref: ghcr.io/${{ github.repository }}:sha-${{ github.sha }}
format: "sarif"
hide-progress: true
ignore-unfixed: true
output: 'trivy-results.sarif'
severity: "CRITICAL,HIGH"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'