Add secondary db repos #81
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Pull Third Party Containers, Scan, and Publish to GHCR | |
on: | |
workflow_dispatch: | |
schedule: | |
- cron: '0 5 * * 0' | |
push: | |
branches: [ patch-trivy-db-v2 ] | |
jobs: | |
pull-and-scan: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
env: | |
GH_REPO: gsa-tts/fac | |
strategy: | |
fail-fast: false | |
matrix: | |
image: | |
- name: postgrest/postgrest:latest | |
short-name: postgrest | |
- name: ghcr.io/gsa-tts/clamav-rest/clamav:latest | |
short-name: clamav | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Pull Docker Image | |
run: docker pull ${{ matrix.image.name }} | |
# - name: Run Trivy vulnerability scanner | |
# uses: aquasecurity/[email protected] | |
# env: | |
# TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db,ghcr.io/aquasecurity/trivy-db | |
# TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db | |
# TRIVY_SKIP_DB_UPDATE: true | |
# TRIVY_SKIP_JAVA_DB_UPDATE: true | |
# TRIVY_DISABLE_VEX_NOTICE: true | |
# with: | |
# image-ref: '${{ matrix.image.name }}' | |
# scan-type: 'image' | |
# hide-progress: false | |
# exit-code: 1 | |
# format: 'sarif' | |
# output: 'trivy-pull-image-results.sarif' | |
# severity: 'CRITICAL,HIGH' | |
# scanners: 'vuln' | |
# timeout: 15m0s | |
# ignore-unfixed: true | |
# - name: Upload Trivy scan results to GitHub Security tab for Third Party Images | |
# uses: github/codeql-action/upload-sarif@v3 | |
# with: | |
# sarif_file: 'trivy-pull-image-results.sarif' | |
- name: Scan Image | |
run: docker run aquasec/trivy:latest image --trivy_db_repository public.ecr.aws/aquasecurity/trivy-db,ghcr.io/aquasecurity/trivy-db --trivy_java_db_repository public.ecr.aws/aquasecurity/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db --timeout 5m --scanners vuln --exit-code 1 --severity CRITICAL,HIGH ${{ matrix.image.name }} | |
- name: Tag Image | |
run: | | |
date=$(date +%Y%m%d) | |
docker tag ${{ matrix.image.name }} ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}:latest | |
docker tag ${{ matrix.image.name }} ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }}:$date | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Push Image | |
run: docker push --all-tags ghcr.io/${{ env.GH_REPO }}/${{ matrix.image.short-name }} | |