run workflow on dispatch event and use token from secrets (#48)

Signed-off-by: Shubham Chaudhary <[email protected]>
litmuschaos · Apr 20, 2023 · 32aab16 · 32aab16
1 parent 449b149
commit 32aab16
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 17 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -36,23 +36,6 @@ jobs:
       - name: Build Image
         run: make build
 
-
-  security:
-    container:
-      image: litmuschaos/snyk:1.0
-      volumes:
-      - /home/runner/work/_actions/:/home/runner/work/_actions/
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - uses: snyk/actions/setup@master
-      - name: Install packages
-        run: pip3 install -r requirements.txt
-      - run: snyk auth ${SNYK_TOKEN}
-      - name: Snyk monitor
-        run: snyk test --file=requirements.txt --command=python3
-
-
   trivy:
     runs-on: ubuntu-latest
     steps:

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
@@ -0,0 +1,32 @@
+---
+name: Security Scan
+on:
+  workflow_dispatch:
+
+jobs:
+  snyk:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Run Snyk to check for vulnerabilities
+        uses: snyk/actions/python@master
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+
+  trivy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      - name: Build an image from Dockerfile
+        run: |
+          docker build -f build/Dockerfile -t docker.io/litmuschaos/py-runner:${{ github.sha }} . --build-arg TARGETARCH=amd64
+      
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/litmuschaos/py-runner:${{ github.sha }}'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'