DPSTAT-1397 updating build for trivy#47
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
skykanin
left a comment
There was a problem hiding this comment.
It would be nice to fail the build if we find high or critical vulnerabilities using an action like the one below. Therefore all trivy related actions should run before we deploy the JAR to our google artifact registry and the deploy step must only be run if no high or critical vulnerabilities are found.
- name: Fail build on High/Criticial Vulnerabilities
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
format: table
scan-ref: .
severity: HIGH,CRITICAL
ignore-unfixed: true
exit-code: 1
# On a subsequent call to the action we know trivy is already installed so can skip this
skip-setup-trivy: true
skykanin
left a comment
There was a problem hiding this comment.
@skykanin made 1 comment.
Reviewable status: 0 of 1 files reviewed, 1 unresolved discussion (waiting on @salma-tfb).
.github/workflows/build.yml line 29 at r2 (raw file):
- name: Build with Maven run: mvn --batch-mode -P ssb-bip package
We should rename this maven profile to ssb-gar (for google artifact registry) as the BIP platform no longer exists.
# Conflicts: # .github/workflows/build.yml
skykanin
left a comment
There was a problem hiding this comment.
@skykanin reviewed 2 files and all commit messages.
Reviewable status: all files reviewed, 1 unresolved discussion (waiting on @salma-tfb).
skykanin
left a comment
There was a problem hiding this comment.
@skykanin resolved 1 discussion.
Reviewable status:complete! all files reviewed, all discussions resolved (waiting on @salma-tfb).
This change is