-
Notifications
You must be signed in to change notification settings - Fork 5
46 lines (40 loc) · 1.28 KB
/
trivy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
name: dsp-appsec-trivy
on: [pull_request]
jobs:
appsec-trivy:
# Parse Dockerfile and build, scan image if a "blessed" base image is not used
name: DSP AppSec Trivy check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
# fetch JDK
- uses: actions/setup-java@v2
with:
distribution: 'temurin'
java-version: '17'
# set up Gradle cache
- uses: actions/cache@v3
with:
path: |
~/.gradle/caches
~/.gradle/wrapper
key:
gradle-${{ hashFiles('**/*.gradle*') }}
restore-keys: |
gradle-
# build the image
- name: Build
id: build
run: |
# Enable pipefail so a gradle build failure fails this step.
set -o pipefail
# build sources and store the plain log without colors
./gradlew jibDockerBuild --console=plain \
| perl -pe 's/\x1b\[[0-9;]*[mG]//g' | tee build.log
# export image name from the log
image=$(grep 'Built image' build.log | awk '{print $NF}')
echo "image=${image}" >> $GITHUB_OUTPUT
# scan the image
- uses: broadinstitute/dsp-appsec-trivy-action@v1
with:
image: ${{ steps.build.outputs.image }}