Skip to content
Security

Security #84

Sign in to view logs

Security

Security #84

Workflow file for this run

.github/workflows/security.yml at 0289126
name: Security
on:
schedule:
- cron: '0 5 * * 1-5'
workflow_dispatch:
jobs:
scan-code:
name: Scan code
runs-on: ubuntu-latest
steps:
- name: Checkout project
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Trivy source code
id: trivy_source_code
uses: aquasecurity/trivy-action@0.34.1
with:
scan-type: fs
scan-ref: .
scanners: vuln
severity: CRITICAL,HIGH
format: sarif
output: trivy-results.sarif
ignore-unfixed: true
limit-severities-for-sarif: true
- name: Upload Trivy source code report
if: always()
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: trivy-results.sarif
category: source-code
scan-docker:
name: Scan Docker ${{ matrix.platform }}
runs-on: ubuntu-latest
strategy:
matrix:
platform: [ 'linux/amd64', 'linux/arm64' ]
steps:
- name: Checkout project
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Set up JDK 25
uses: actions/setup-java@v5
with:
java-version: '25'
distribution: 'temurin'
- name: Cache Gradle packages
uses: actions/cache@v5
with:
path: ~/.gradle/caches
key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle') }}
restore-keys: ${{ runner.os }}-gradle
- name: Build
run: ./gradlew build -x test --info
- name: Metadata
id: metadata
run: |
platform_slug=$(echo ${{ matrix.platform }} | sed 's/\//-/g')
echo platform_slug=$platform_slug >> $GITHUB_OUTPUT
echo image_name=michelin/ns4kafka:$platform_slug-jar >> $GITHUB_OUTPUT
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Docker build
uses: docker/build-push-action@v6
with:
context: .
file: .docker/Dockerfile
platforms: ${{ matrix.platform }}
push: false
load: true
tags: ${{ steps.metadata.outputs.image_name }}
env:
DOCKER_BUILD_SUMMARY: false
- name: Trivy Docker image
uses: aquasecurity/trivy-action@0.34.1
with:
scan-type: image
image-ref: ${{ steps.metadata.outputs.image_name }}
scanners: vuln
severity: CRITICAL,HIGH
format: sarif
output: trivy-results.sarif
ignore-unfixed: true
limit-severities-for-sarif: true
- name: Upload Trivy Docker image report
if: always()
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: trivy-results.sarif
category: docker-image-${{ steps.metadata.outputs.platform_slug }}