-
Notifications
You must be signed in to change notification settings - Fork 2
44 lines (41 loc) · 1.29 KB
/
trivy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
name: dsp-appsec-trivy
on:
pull_request:
# Branch settings require status checks before merging, so don't add paths-ignore.
branches: [ master ]
jobs:
appsec-trivy:
# Parse Dockerfile and build, scan image if a "blessed" base image is not used
name: DSP AppSec Trivy check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
# fetch JDK
- uses: actions/setup-java@v3
with:
distribution: 'temurin'
java-version: '17'
# set up Gradle cache
- uses: actions/cache@v3
with:
path: |
~/.gradle/caches
~/.gradle/wrapper
key:
gradle-${{ hashFiles('**/*.gradle*') }}
restore-keys: |
gradle-
# build the image
- name: Build
id: build
run: |
# build sources and store the plain log without colors
./gradlew jibDockerBuild --console=plain \
| perl -pe 's/\x1b\[[0-9;]*[mG]//g' | tee build.log
# export image name from the log
image=$(grep 'Built image' build.log | awk '{print $NF}')
echo image="${image}" >> $GITHUB_OUTPUT
# scan the image
- uses: broadinstitute/dsp-appsec-trivy-action@v1
with:
image: ${{ steps.build.outputs.image }}