Add trivy vulnerability scanner build step

thomasferrandiz · thomasferrandiz · commit 8ff60f562d8c · 2024-12-09T13:23:29.000Z
diff --git a/.github/workflows/image-build.yml b/.github/workflows/image-build.yml
@@ -18,6 +18,22 @@ jobs:
           push: false
           tags: ghcr.io/${{ github.repository }}:latest-amd64
           file: Dockerfile
+          
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.28.0
+        with:
+          image-ref: ghcr.io/${{ github.repository }}:latest-amd64
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+  
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
 
   build-openshift:
     name: Image build/openshift
