This repository has been archived by the owner on May 13, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
91 lines (78 loc) · 2.58 KB
/
trivy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
name: trivy-scan
on:
push:
branches: [ main, release-v* ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ main, release-v* ]
schedule:
# Daily checking runs at UTC 17:00 (BJT 1:00, next day)
- cron: '0 17 * * *'
permissions:
contents: read
jobs:
scan:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: Build and Scan
runs-on: "ubuntu-22.04"
strategy:
matrix:
id: [ "manager", "proxy-init", "ingress-pipy" ]
steps:
- name: Set up QEMU
uses: docker/[email protected]
- name: Set up Docker Buildx
uses: docker/[email protected]
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Restore Module Cache
uses: actions/cache@v3
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-gomod2-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-gomod2-
- name: Restore Build Cache
uses: actions/cache@v3
with:
path: ~/.cache/go-build
key: ${{ runner.os }}-gobuild-${{ hashFiles('**/*.go') }}
- name: Set version
run: |
cat VERSION >> $GITHUB_ENV
- name: Package Helm Charts
run: make charts-tgz-rel
- name: Docker meta - ${{ matrix.id }}
id: docker_meta
uses: crazy-max/[email protected]
with:
images: flomesh/erie-canal-${{ matrix.id }}
tags: |
type=raw,${{ github.sha }}
- name: Build and push image ${{ matrix.id }}
uses: docker/[email protected]
with:
context: .
file: ./dockerfiles/${{ matrix.id }}/Dockerfile
platforms: linux/amd64
tags: ${{ steps.docker_meta.outputs.tags }}
labels: ${{ steps.docker_meta.outputs.labels }}
build-args: |
DISTROLESS_TAG=nonroot
outputs: |
type=docker,dest=erie-canal-${{ matrix.id }}.tar
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
input: /github/workspace/erie-canal-${{ matrix.id }}.tar
severity: 'CRITICAL,HIGH'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'