[Code Analysis] Trivy #6960
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| # SPDX-FileCopyrightText: (C) 2025 Intel Corporation | |
| # SPDX-License-Identifier: Apache-2.0 | |
| name: "[Code Analysis] Trivy" | |
| run-name: "[Code Analysis] Trivy" | |
| on: | |
| workflow_dispatch: {} | |
| push: | |
| branches: | |
| - main | |
| - release-* | |
| pull_request: | |
| branches: | |
| - main | |
| - release-* | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| permissions: | |
| contents: read # needed for actions/checkout | |
| jobs: | |
| trivy-image-scan: | |
| name: "Build images and run Trivy image scan" | |
| permissions: | |
| contents: read | |
| runs-on: ubuntu-latest | |
| if: github.event_name != 'pull_request' | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Free up runner space | |
| run: | | |
| # Remove Java (JDKs) | |
| sudo rm -rf /usr/lib/jvm | |
| # Remove .NET SDKs | |
| sudo rm -rf /usr/share/dotnet | |
| # Remove Swift toolchain | |
| sudo rm -rf /usr/share/swift | |
| # Remove Haskell (GHC) | |
| sudo rm -rf /usr/local/.ghcup | |
| # Remove Julia | |
| sudo rm -rf /usr/local/julia* | |
| # Remove Android SDKs | |
| sudo rm -rf /usr/local/lib/android | |
| - name: "Remove all Docker images" | |
| uses: ./.github/actions/cleanup | |
| with: | |
| system-prune: "true" | |
| - name: Install Trivy | |
| id: setup_trivy | |
| uses: aquasecurity/setup-trivy@3fb12ec12f41e471780db15c232d5dd185dcb514 # v0.2.5 | |
| with: | |
| version: "v0.69.2" | |
| - name: "Build images" | |
| id: build_images | |
| run: | | |
| echo "SCENESCAPE_VERSION=$(cat version.txt)" >> "$GITHUB_ENV" | |
| make build-all | |
| docker image ls | awk '{print $1}' | grep $(cat version.txt) | grep -v "\-test" > images.txt | |
| - name: "Run Trivy Image Scan" | |
| if: always() && steps.build_images.outcome == 'success' && steps.setup_trivy.outcome == 'success' | |
| run: | | |
| set +e | |
| EXIT_CODE=0 | |
| cat images.txt || echo "No images found to scan." | |
| while read image; do | |
| echo "::group::Scanning image: $image" | |
| scan_name=$(echo $image | cut -f1 -d":") | |
| trivy image --config ".github/resources/sdl/trivy_config.yml" "$image" | |
| IMAGE_CODE=$? | |
| EXIT_CODE=$((EXIT_CODE || IMAGE_CODE)) | |
| echo "::endgroup::" | |
| if [ $IMAGE_CODE -eq 1 ]; then | |
| echo "::error title=Trivy Image Scan Failed::Trivy scan found HIGH or CRITICAL vulnerabilities in image ${image}" | |
| fi | |
| done <<< $(cat images.txt) | |
| exit $EXIT_CODE | |
| trivy-critical-filesystem-scan: | |
| name: "Run Trivy Critical Filesystem Scan" | |
| permissions: | |
| contents: read | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Run Trivy Critical Filesystem Scan | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.34.1 | |
| with: | |
| version: "v0.69.2" | |
| scan-type: "fs" | |
| scan-ref: . | |
| trivy-config: ".github/resources/sdl/trivy_config.yml" | |
| - name: Create Error message if Vulnerabilities Found | |
| if: failure() | |
| run: | | |
| echo "::error title=Trivy Filesystem Scan Failed::Trivy scan found HIGH or CRITICAL vulnerabilities in the filesystem scan" |