feat: scan image to trivy #292
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds Trivy vulnerability scanning to the Docker build and publish GitHub Action workflow. The scanner is configured to fail the build on critical and high severity vulnerabilities in OS and library dependencies, while ignoring unfixed issues.
Key changes:
- Introduced a
scan_imagevariable to specify which image tag to scan - Added a new Trivy scanning step that runs after the Docker image is built and pushed
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
.github/actions/docker/action.yml
Outdated
| version=$(egrep ' VERSION=(.*)$' '${{ inputs.dockerfile }}' | sed 's/^.*=//') | ||
| vcs_ref=$(git rev-parse --short HEAD) | ||
| image_name=$(cd $(dirname ${{ inputs.dockerfile }}) && echo "${PWD##*/}") | ||
| scan_image=bdossantos/${image_name}:${version}-${vcs_ref} |
There was a problem hiding this comment.
The scan_image variable is defined but never added to $GITHUB_OUTPUT. It needs to be exported with echo \"scan_image=${scan_image}\" >> $GITHUB_OUTPUT to be accessible in step 'Run Trivy vulnerability scanner' at line 59.
| tags: ${{ steps.context.outputs.tags }} | ||
|
|
||
| - name: Run Trivy vulnerability scanner | ||
| uses: aquasecurity/trivy-action@0.33.1 |
There was a problem hiding this comment.
[nitpick] Consider pinning the action to a full commit SHA instead of a tag version (e.g., aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b9ceae441) for better security and immutability, especially since dependabot is configured to manage GitHub Actions updates.
| uses: aquasecurity/trivy-action@0.33.1 | |
| uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b9ceae441 |
| - name: Run Trivy vulnerability scanner | ||
| uses: aquasecurity/trivy-action@0.33.1 | ||
| with: | ||
| image-ref: ${{ steps.context.outputs.scan_image }} | ||
| format: table | ||
| exit-code: 1 | ||
| ignore-unfixed: true | ||
| vuln-type: os,library | ||
| severity: CRITICAL,HIGH |
There was a problem hiding this comment.
The Trivy scan will run even for pull requests, but the image won't be pushed (line 53 shows push: ${{ github.event_name != 'pull_request' }}). This means Trivy will fail because the image won't exist in the registry. Consider adding a condition if: ${{ github.event_name != 'pull_request' }} to this step, or use scan-type: fs to scan the build context instead for PRs.
No description provided.