Merge pull request #3092 from kichristensen/checkoutHistory #2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Scan our docker images for vulnerabilities | |
name: Trivy | |
on: | |
# always do a security scan when a change is merged | |
push: | |
branches-ignore: | |
# Disable running the push event for dependabot. | |
# Dependabot pushes to branches in our repo, not in a fork. This causes the push event to trigger for dependabot PRs and the CodeQL check fails. | |
- "dependabot/**" | |
# Only do a security scan on a PR when there are non-doc changes to save time | |
pull_request_target: | |
paths-ignore: | |
- 'docs/**' | |
jobs: | |
scan: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 # Get all git history | |
- name: Set up Go | |
uses: actions/setup-go@v4 | |
with: | |
go-version-file: go.mod | |
cache: true | |
- name: Configure Agent | |
run: go run mage.go ConfigureAgent | |
- name: Build Binaries | |
run: mage -v XBuildAll | |
- name: Build Docker Images | |
run: mage -v BuildImages | |
- name: Scan Images with Trivy | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "localhost:5000/porter-agent:${{ env.VERSION }}" | |
format: sarif | |
output: trivy-results.sarif | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: trivy-results.sarif |