diff --git a/.github/workflows/dev.yml b/.github/workflows/dev.yml index b6e2210..2f4e2f6 100644 --- a/.github/workflows/dev.yml +++ b/.github/workflows/dev.yml @@ -13,32 +13,7 @@ env: IMAGE_TAG: ${{ github.sha }} jobs: - - flake8: - name: Code Quality - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: Set up Python 3.10.6 - uses: actions/setup-python@v1 - with: - python-version: 3.10.7 - - name: Lint with flake8 - run: | - pip install flake8 flake8-html - # stop the build if there are Python syntax errors or undefined names - flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics - # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide - mkdir -p reports/flake8 - flake8 . --count --exit-zero --max-complexity=10 --max-line-length=79 --statistics --format=html --htmldir=reports/flake8 - - name: Archive flake8 coverage results - uses: actions/upload-artifact@v1 - with: - name: flake8-coverage-report - path: reports/flake8/ - security_checks: - needs: flake8 runs-on: ubuntu-latest name: Security check steps: @@ -92,3 +67,15 @@ jobs: push: false tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ steps.meta.outputs.tags }} + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' \ No newline at end of file diff --git a/.github/workflows/features.yml b/.github/workflows/features.yml index 3cc6d83..b8b83b0 100644 --- a/.github/workflows/features.yml +++ b/.github/workflows/features.yml @@ -14,32 +14,7 @@ env: IMAGE_TAG: ${{ github.sha }} jobs: - - flake8: - name: Code Quality - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: Set up Python 3.10 - uses: actions/setup-python@v1 - with: - python-version: 3.10.7 - - name: Lint with flake8 - run: | - pip install flake8 flake8-html - # stop the build if there are Python syntax errors or undefined names - flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics - # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide - mkdir -p reports/flake8 - flake8 . --count --exit-zero --max-complexity=10 --max-line-length=79 --statistics --format=html --htmldir=reports/flake8 - - name: Archive flake8 coverage results - uses: actions/upload-artifact@v1 - with: - name: flake8-coverage-report - path: reports/flake8/ - security_checks: - needs: flake8 runs-on: ubuntu-latest name: Security check steps: @@ -93,3 +68,15 @@ jobs: push: false tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ steps.meta.outputs.tags }} + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' \ No newline at end of file diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 9115554..88bfef2 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -63,3 +63,15 @@ jobs: push: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ steps.meta.outputs.tags }} + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' \ No newline at end of file diff --git a/.github/workflows/pull_requests.yml b/.github/workflows/pull_requests.yml index 29cc7f0..de1f8f8 100644 --- a/.github/workflows/pull_requests.yml +++ b/.github/workflows/pull_requests.yml @@ -9,32 +9,7 @@ env: IMAGE_TAG: ${{ github.sha }} jobs: - - flake8: - name: Code Quality - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: Set up Python 3.10.7 - uses: actions/setup-python@v1 - with: - python-version: 3.10.7 - - name: Lint with flake8 - run: | - pip install flake8 flake8-html - # stop the build if there are Python syntax errors or undefined names - flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics - # exit-zero treats all errors as warnings. The GitHub editor is 127 chars wide - mkdir -p reports/flake8 - flake8 . --count --exit-zero --max-complexity=10 --max-line-length=79 --statistics --format=html --htmldir=reports/flake8 - - name: Archive flake8 coverage results - uses: actions/upload-artifact@v1 - with: - name: flake8-coverage-report - path: reports/flake8/ - security_checks: - needs: flake8 runs-on: ubuntu-latest name: Security check steps: @@ -88,3 +63,15 @@ jobs: push: false tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ steps.meta.outputs.tags }} + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' \ No newline at end of file