feat: add trivy image scanning

The cloud platform scans containers when they are running in the cluster, but we should also be scanning the images before we deploy to the cluster. https://user-guide.cloud-platform.service.justice.gov.uk/documentation/other-topics/trivy-image-scanning.html#trivy-vulnerability-scanning
ministryofjustice · Nov 8, 2024 · 87e8a16 · 87e8a16
1 parent 9d5b111
commit 87e8a16
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/.github/workflows/reusable-push-and-deploy.yml b/.github/workflows/reusable-push-and-deploy.yml
@@ -47,6 +47,7 @@ jobs:
     permissions:
       id-token: write # This is required for requesting the JWT
       contents: read # This is required for actions/checkout
+      security-events: write
     steps:
       - uses: actions/checkout@v4
 
@@ -95,6 +96,18 @@ jobs:
           IMAGE_PATH: ${{ steps.image-path.outputs.image_path }}
         run: docker push "${IMAGE_PATH}"
 
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: ${{ steps.image-path.outputs.image_path }}
+          format: "sarif"
+          output: "trivy-results.sarif"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: "trivy-results.sarif"
+
       - name: Prepare deployment yaml
         id: prepare-deployment
         env: