diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml new file mode 100644 index 00000000..413314f8 --- /dev/null +++ b/.github/workflows/trivy.yaml @@ -0,0 +1,54 @@ +name: Trivy vulnerability scanner +on: + push: + branches: + - master + pull_request: +jobs: + build: + name: Build + runs-on: ubuntu-18.04 + steps: + - name: Checkout code + uses: actions/checkout@v2 + + - name: Install go + uses: actions/setup-go@v2 + with: + go-version: ^1.17 + + - name: Build images from Dockerfile + run: | + make + docker build -t test/velero-plugin-for-vsphere:latest -f Dockerfile-plugin --output=type=docker --label revision=latest . + docker build -t test/data-manager-for-plugin:latest -f Dockerfile-datamgr --output=type=docker --label revision=latest . + docker build -t test/backup-driver:latest -f Dockerfile-backup-driver --output=type=docker --label revision=latest . + - name: Run Trivy vulnerability scanner on velero-plugin-for-vsphere image + uses: aquasecurity/trivy-action@master + with: + image-ref: 'test/velero-plugin-for-vsphere:latest' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN' + + - name: Run Trivy vulnerability scanner on data-manager-for-plugin image + uses: aquasecurity/trivy-action@master + with: + image-ref: 'test/data-manager-for-plugin:latest' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN' + + - name: Run Trivy vulnerability scanner on backup-driver image + uses: aquasecurity/trivy-action@master + with: + image-ref: 'test/backup-driver:latest' + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN' \ No newline at end of file