ci: add Trivy for Docker image scanning (#149)

* ci: add Trivy for Docker image scanning * build: update dependencies * refactor: update typings * chore: upgrade NestJS to v8
kadaster-labs · Feb 16, 2022 · d10809d · d10809d
1 parent e0899e9
commit d10809d
Show file tree

Hide file tree

Showing 7 changed files with 4,512 additions and 7,788 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -9,7 +9,7 @@ on:
     branches: [main]
 
 jobs:
-  build:
+  build-node:
     runs-on: ubuntu-latest
 
     steps:
@@ -34,3 +34,23 @@ jobs:
         run: npm run build
       - name: Run test
         run: npm run test
+
+  build-image:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Build image from Dockerfile
+        run: |
+          docker build -t sensrnetnl/registry-backend:${{ github.sha }} .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'sensrnetnl/registry-backend:${{ github.sha }}'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
diff --git a/Dockerfile b/Dockerfile
@@ -18,7 +18,7 @@ RUN npm run build && \
 
 
 # Second Stage: use lightweight alpine image and run as non-root
-FROM node:16.5.0-alpine3.12
+FROM node:16.13.2-alpine3.15
 
 RUN mkdir -p /home/node/app && chown -R node:node /home/node/app