Alg/rdfbrowser 497 popout hierarchy window #38
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Trivy Backend Vulnerability Scan | |
| on: | |
| pull_request: | |
| branches: | |
| - develop | |
| - master | |
| workflow_dispatch: # Allows manual runs from the GitHub UI | |
| jobs: | |
| backend-trivy-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| # Checkout the pull request code | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| # Set up Java 17 for the environment | |
| - name: Set up JDK 17 | |
| uses: actions/setup-java@v3 | |
| with: | |
| java-version: '17' | |
| distribution: 'adopt' | |
| # Install Trivy if not cached | |
| - name: Install Trivy | |
| run: | | |
| TRIVY_LATEST_VERSION=$(curl --silent "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | jq -r .tag_name) | |
| wget https://github.com/aquasecurity/trivy/releases/download/${TRIVY_LATEST_VERSION}/trivy_${TRIVY_LATEST_VERSION#v}_Linux-64bit.deb | |
| sudo dpkg -i trivy_${TRIVY_LATEST_VERSION#v}_Linux-64bit.deb | |
| # Run Gradle lockfile updates | |
| - name: Run Gradle dependencies | |
| run: | | |
| cd web; ./gradlew dependencies --write-locks | |
| # Scan the backend gradle.lockfile | |
| - name: Run Trivy scan for gradle.lockfile | |
| id: trivy-scan-java | |
| run: | | |
| trivy fs web/gradle.lockfile --format json --output reportJava.json | |
| env: | |
| TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db | |
| TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db | |
| # Check for HIGH and CRITICAL vulnerabilities in the Java scan | |
| - name: Check vulnerabilities in Java | |
| id: check-vulns-java | |
| run: | | |
| # Get the count of HIGH and CRITICAL vulnerabilities | |
| vuln_count=$(jq '[.Results[]?.Vulnerabilities[]? | select(.Severity == "CRITICAL" or .Severity == "HIGH")] | length' reportJava.json) | |
| echo "Java HIGH and CRITICAL vulnerability count: $vuln_count" | |
| # List the HIGH and CRITICAL vulnerabilities, if any | |
| if [ "$vuln_count" -gt 0 ]; then | |
| echo "Listing HIGH and CRITICAL vulnerabilities found in gradle.lockfile:" | |
| jq '[.Results[]?.Vulnerabilities[]? | select(.Severity == "CRITICAL" or .Severity == "HIGH")] | .[] | {ID, Severity, Description, PackageName, InstalledVersion, FixedVersion}' reportJava.json | |
| exit 1 | |
| else | |
| echo "No HIGH or CRITICAL vulnerabilities found in gradle.lockfile." | |
| fi | |
| # Clean up lockfile after scan | |
| - name: Clean up | |
| run: | | |
| /bin/rm -rf web/gradle.lockfile |