trying caching again #4
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Trivy Frontend Vulnerability Scan | |
| on: | |
| push: | |
| branches: | |
| - pva/RDFBROWSER-494-trivy-github-action | |
| # pull_request: | |
| # branches: | |
| # - develop | |
| # - master | |
| workflow_dispatch: # Allows manual runs from the GitHub UI | |
| jobs: | |
| frontend-trivy-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Checkout the pull request code | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| # Install Trivy if not cached | |
| - name: Install Trivy | |
| run: | | |
| TRIVY_LATEST_VERSION=$(curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | jq -r .tag_name) | |
| wget https://github.com/aquasecurity/trivy/releases/download/${TRIVY_LATEST_VERSION}/trivy_${TRIVY_LATEST_VERSION#v}_Linux-64bit.deb | |
| sudo dpkg -i trivy_${TRIVY_LATEST_VERSION#v}_Linux-64bit.deb | |
| # Scan the frontend package-lock.json | |
| - name: Run Trivy scan for package-lock.json | |
| id: trivy-scan-frontend | |
| run: | | |
| trivy fs web/frontend/package-lock.json --format json --output reportFrontend.json | |
| # Check for CRITICAL vulnerabilities in the frontend scan | |
| - name: Check vulnerabilities in frontend | |
| id: check-vulns-frontend | |
| run: | | |
| vuln_count=$(jq '[.Results[]?.Vulnerabilities[]? | select(.Severity == "CRITICAL")] | length' reportFrontend.json) | |
| echo "Frontend CRITICAL vulnerability count: $vuln_count" | |
| if [ "$vuln_count" -gt 0 ]; then | |
| echo "CRITICAL vulnerabilities found in package-lock.json!" | |
| exit 1 | |
| else | |
| echo "No CRITICAL vulnerabilities found in package-lock.json." | |
| fi |