Trivy #855
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Trivy | |
| on: workflow_dispatch | |
| jobs: | |
| trivy: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| persist-credentials: false | |
| - name: Set up JDK | |
| uses: actions/setup-java@v3 | |
| with: | |
| java-version: '17' | |
| distribution: 'temurin' | |
| cache: 'gradle' | |
| - name: Build all projects without running tests | |
| run: ./gradlew --build-cache build -x test -x spotlessCheck | |
| - name: Construct docker image name and tag | |
| id: image-name | |
| run: | | |
| echo "name=trivy-local-testing-image" >> $GITHUB_OUTPUT | |
| - name: Build image locally with jib | |
| run: | | |
| ./gradlew --build-cache :service:jibDockerBuild \ | |
| --image="${IMAGE_NAME}" \ | |
| -Djib.console=plain | |
| env: | |
| IMAGE_NAME: ${{ steps.image-name.outputs.name }} | |
| - name: Run Trivy vulnerability scanner | |
| uses: broadinstitute/dsp-appsec-trivy-action@v1 | |
| with: | |
| image: ${{ steps.image-name.outputs.name }} | |
| notify-slack: | |
| needs: [ trivy ] | |
| runs-on: ubuntu-latest | |
| if: failure() | |
| steps: | |
| - name: Notify slack on failure | |
| uses: broadinstitute/[email protected] | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| with: | |
| channel: ${{ vars.SLACK_NOTIFICATION_CHANNELS }} | |
| status: failure | |
| author_name: Trivy action | |
| fields: workflow,message | |
| text: 'Trivy scan failure :sadpanda:' | |
| username: 'Data Explorer GitHub Action' |