feat: add trivy scanner to CI

2025-05-06 08:44:30 +02:00 · 2022-09-30 20:11:59 -03:00 · 2022-09-30 20:11:59 -03:00 · 2c83789cd7
commit 2c83789cd7
parent 181653ad68
4 changed files with 48 additions and 75 deletions
--- a/.github/workflows/dev.yml
+++ b/.github/workflows/dev.yml
@ -13,32 +13,7 @@ env:
  IMAGE_TAG: ${{ github.sha }}

 jobs:
-
-  flake8:
-    name: Code Quality
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v2
-    - name: Set up Python 3.10.6
-      uses: actions/setup-python@v1
-      with:
-        python-version: 3.10.7
-    - name: Lint with flake8
-      run: |
-        pip install flake8 flake8-html
-        # stop the build if there are Python syntax errors or undefined names
-        flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
-        # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
-        mkdir -p reports/flake8
-        flake8 . --count --exit-zero --max-complexity=10 --max-line-length=79 --statistics --format=html --htmldir=reports/flake8
-    - name: Archive flake8 coverage results
-      uses: actions/upload-artifact@v1
-      with:
-        name: flake8-coverage-report
-        path: reports/flake8/
-
  security_checks:
-    needs: flake8
    runs-on: ubuntu-latest
    name: Security check
    steps:
@ -92,3 +67,15 @@ jobs:
          push: false
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ steps.meta.outputs.tags }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
--- a/.github/workflows/features.yml
+++ b/.github/workflows/features.yml
@ -14,32 +14,7 @@ env:
  IMAGE_TAG: ${{ github.sha }}

 jobs:
-
-  flake8:
-    name: Code Quality
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v2
-    - name: Set up Python 3.10
-      uses: actions/setup-python@v1
-      with:
-        python-version: 3.10.7
-    - name: Lint with flake8
-      run: |
-        pip install flake8 flake8-html
-        # stop the build if there are Python syntax errors or undefined names
-        flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
-        # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
-        mkdir -p reports/flake8
-        flake8 . --count --exit-zero --max-complexity=10 --max-line-length=79 --statistics --format=html --htmldir=reports/flake8
-    - name: Archive flake8 coverage results
-      uses: actions/upload-artifact@v1
-      with:
-        name: flake8-coverage-report
-        path: reports/flake8/
-
  security_checks:
-    needs: flake8
    runs-on: ubuntu-latest
    name: Security check
    steps:
@ -93,3 +68,15 @@ jobs:
          push: false
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ steps.meta.outputs.tags }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -63,3 +63,15 @@ jobs:
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ steps.meta.outputs.tags }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
--- a/.github/workflows/pull_requests.yml
+++ b/.github/workflows/pull_requests.yml
@ -9,32 +9,7 @@ env:
  IMAGE_TAG: ${{ github.sha }}

 jobs:
-
-  flake8:
-    name: Code Quality
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v2
-    - name: Set up Python 3.10.7
-      uses: actions/setup-python@v1
-      with:
-        python-version: 3.10.7
-    - name: Lint with flake8
-      run: |
-        pip install flake8 flake8-html
-        # stop the build if there are Python syntax errors or undefined names
-        flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics
-        # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide
-        mkdir -p reports/flake8
-        flake8 . --count --exit-zero --max-complexity=10 --max-line-length=79 --statistics --format=html --htmldir=reports/flake8
-    - name: Archive flake8 coverage results
-      uses: actions/upload-artifact@v1
-      with:
-        name: flake8-coverage-report
-        path: reports/flake8/
-
  security_checks:
-    needs: flake8
    runs-on: ubuntu-latest
    name: Security check
    steps:
@ -88,3 +63,15 @@ jobs:
          push: false
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ steps.meta.outputs.tags }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'