(maint) Add Trivy scan to build-test-push

eputnam · eputnam · commit 8b02d7850a7a · 2022-07-12T13:54:08.000-07:00
Trivy is our official container scanning solution now, so this adds a
trivy scan whenever we try to push a new puppet-dev-tools container so
we don't release containers with unwanted vulnerabilities.
Trivy only scans the root-based image to save time as there are no
os-level differences between root and rootless images.
diff --git a/.github/workflows/build-test-push.yml b/.github/workflows/build-test-push.yml
@@ -13,6 +13,14 @@ jobs:
         run: ./build-rootless.sh $(echo $GITHUB_REPOSITORY |cut -d '/' -f1)
       - name: Build standard image
         run: ./build.sh $(echo $GITHUB_REPOSITORY |cut -d '/' -f1)
+      - name: Trivy scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: puppet-dev-tools:latest
+          exit-code: 1
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH,MEDIUM'
+          vuln-type: os
       - name: Run tests
         run: cd tests; ./run_tests.sh
       - name: Tag Docker images
