gha: add trivy security scan (#277)

2026-01-17 18:54:20 +01:00 · 2024-08-23 16:08:40 +02:00
parent 1f8cdcc770
commit 1b9660ec89
1 changed files with 35 additions and 0 deletions
--- a/.github/workflows/ark.trivy.yaml
+++ b/.github/workflows/ark.trivy.yaml
@@ -0,0 +1,35 @@
+name: Trivy Security Scan
+
+on:
+  push:
+    branches: ["master"]
+  pull_request:
+    branches: ["master"]
+
+jobs:
+  build:
+    name: Build and Scan
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Build an image from Dockerfile
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          load: true
+          tags: ${{ github.repository }}:${{ github.sha }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.24.0
+        with:
+          image-ref: "${{ github.repository }}:${{ github.sha }}"
+          format: "table"
+          exit-code: "1"
+          ignore-unfixed: true
+          vuln-type: "os,library"
+          severity: "CRITICAL,HIGH"