see if it worked #5
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Trivy Backend Vulnerability Scan | |
| on: | |
| push: | |
| branches: | |
| - pva/RDFBROWSER-494-trivy-github-action | |
| pull_request: | |
| branches: | |
| - develop | |
| - master | |
| workflow_dispatch: # Allows manual runs from the GitHub UI | |
| jobs: | |
| backend-trivy-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Checkout the pull request code | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| # Set up Java 17 for the environment | |
| - name: Set up JDK 17 | |
| uses: actions/setup-java@v3 | |
| with: | |
| java-version: '17' | |
| distribution: 'adopt' | |
| # Cache Gradle wrapper distribution and dependencies | |
| - name: Cache Gradle wrapper and dependencies | |
| uses: actions/cache@v3 | |
| with: | |
| path: | | |
| ~/.gradle/caches | |
| ~/.gradle/wrapper/dists | |
| key: gradle-${{ runner.os }}-${{ hashFiles('**/*.gradle*', '**/gradle-wrapper.properties') }} | |
| restore-keys: | | |
| gradle-${{ runner.os }}- | |
| # Install Trivy if not cached | |
| - name: Install Trivy | |
| run: | | |
| TRIVY_LATEST_VERSION=$(curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | jq -r .tag_name) | |
| wget https://github.com/aquasecurity/trivy/releases/download/${TRIVY_LATEST_VERSION}/trivy_${TRIVY_LATEST_VERSION#v}_Linux-64bit.deb | |
| sudo dpkg -i trivy_${TRIVY_LATEST_VERSION#v}_Linux-64bit.deb | |
| # Run Gradle lockfile updates | |
| - name: Run Gradle dependencies | |
| run: | | |
| cd web; ./gradlew dependencies --write-locks | |
| # Scan the backend gradle.lockfile | |
| - name: Run Trivy scan for gradle.lockfile | |
| id: trivy-scan-java | |
| run: | | |
| trivy fs web/gradle.lockfile --format json --output reportJava.json | |
| # Check for CRITICAL vulnerabilities in the Java scan | |
| - name: Check vulnerabilities in Java | |
| id: check-vulns-java | |
| run: | | |
| vuln_count=$(jq '[.Results[]?.Vulnerabilities[]? | select(.Severity == "CRITICAL")] | length' reportJava.json) | |
| echo "Java CRITICAL vulnerability count: $vuln_count" | |
| if [ "$vuln_count" -gt 0 ]; then | |
| echo "CRITICAL vulnerabilities found in gradle.lockfile!" | |
| exit 1 | |
| else | |
| echo "No CRITICAL vulnerabilities found in gradle.lockfile." | |
| fi | |
| # Clean up lockfile after scan | |
| - name: Clean up | |
| run: | | |
| /bin/rm -rf web/gradle.lockfile |