Merge pull request #121 from puppetlabs/maint/add-trivy-scan-action

eputnam · web-flow · commit 20651272278d · 2022-07-27T14:17:29.000-07:00
Add Trivy scans to github actions
diff --git a/.github/workflows/build-test-push.yml b/.github/workflows/build-test-push.yml
@@ -13,6 +13,14 @@ jobs:
         run: ./build-rootless.sh $(echo $GITHUB_REPOSITORY |cut -d '/' -f1)
       - name: Build standard image
         run: ./build.sh $(echo $GITHUB_REPOSITORY |cut -d '/' -f1)
+      - name: Trivy scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: puppet-dev-tools:latest
+          exit-code: 1
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH,MEDIUM'
+          vuln-type: os
       - name: Run tests
         run: cd tests; ./run_tests.sh
       - name: Tag Docker images
diff --git a/.github/workflows/publish-4x-image.yml b/.github/workflows/publish-4x-image.yml
@@ -13,20 +13,32 @@ on:
 jobs:
   publish-4x-image:
     runs-on: ubuntu-latest
+    env:
+      IMAGE_BASE: "${{ secrets.DOCKERHUB_PUSH_USERNAME }}/puppet-dev-tools"
     steps:
       - name: Login to Docker Hub
         run: echo ${{ secrets.DOCKERHUB_PASSWORD }} | docker login -u ${{ secrets.DOCKERHUB_LOGIN_USERNAME }} --password-stdin
-      - name: Publish standard image to 4.x
+      - name: Pull image
         env:
-          IMAGE_BASE: "${{ secrets.DOCKERHUB_PUSH_USERNAME }}/puppet-dev-tools"
           IMAGE_TAG: ${{ github.event.inputs.image_tag }}
         run: |
           docker pull ${IMAGE_BASE}:${IMAGE_TAG}
+      - name: Trivy scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.IMAGE_BASE }}:${{ github.event.inputs.image_tag }}
+          exit-code: 1
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH,MEDIUM'
+          vuln-type: os
+      - name: Publish standard image to 4.x
+        env:
+          IMAGE_TAG: ${{ github.event.inputs.image_tag }}
+        run: |
           docker tag ${IMAGE_BASE}:${IMAGE_TAG} ${IMAGE_BASE}:4.x
           docker push ${IMAGE_BASE}:4.x
       - name: Publish rootless image to 4.x-rootless
         env:
-          IMAGE_BASE: "${{ secrets.DOCKERHUB_PUSH_USERNAME }}/puppet-dev-tools"
           IMAGE_TAG: ${{ github.event.inputs.image_tag_rootless }}
         run: |
           docker pull ${IMAGE_BASE}:${IMAGE_TAG}
