Dpstat 1397 trivy update (#168)

salma-tfb · web-flow · commit 02b85b86adfe · 2026-01-26T14:14:44.000+01:00
* DPSTAT-1397 trivy build set up

* DPSTAT-1397 trivy build set up for build test yml

* DPSTAT-1397 adding fail build on high and critical

* DPSTAT-1397 adding fail build on high and critical

* DPSTAT-1397 updating build test yaml file for trivy

* DPSTAT-1397 updating pom file for vulnerability
diff --git a/.github/workflows/build-deploy-app.yml b/.github/workflows/build-deploy-app.yml
@@ -9,7 +9,6 @@ on:
       - "Makefile"
       - ".mvn"
       - ".gitignore"
-
 jobs:
   build-push:
     name: Build and push to registries
@@ -20,6 +19,7 @@ jobs:
     permissions:
       contents: read
       id-token: write
+      security-events: write
 
     outputs:
       nais-tag: ${{steps.nais-deploy-vars.outputs.nais_tag}}
@@ -29,6 +29,32 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: Fail build on High/Critical Vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          format: 'table'
+          scan-ref: '.'
+          severity: 'HIGH,CRITICAL'
+          ignore-unfixed: true
+          exit-code: 1
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          scan-ref: '.'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          skip-setup-trivy: true
+
+      - name: Upload Trivy results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+
       - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
@@ -104,7 +130,10 @@ jobs:
             echo "cluster=test" >> "$GITHUB_OUTPUT"
             echo "nais_config_path=.nais/test/nais.yaml" >> "$GITHUB_OUTPUT"
           fi
-      
+
+
+   
+
   deploy:
     name: Deploy to NAIS
     needs: build-push
diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml
@@ -14,22 +14,51 @@ env:
 jobs:
   build-test:
     name: Build and test with Maven
+
     if: ${{github.event_name == 'pull_request'}}
     runs-on: ubuntu-latest
     permissions:
       contents: read
       id-token: write
+      security-events: write
 
     steps:
       - uses: actions/checkout@v4
 
+      - name: Fail build on High/Critical Vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          format: 'table'
+          scan-ref: '.'
+          severity: 'HIGH,CRITICAL'
+          ignore-unfixed: true
+          exit-code: 1
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          scan-ref: '.'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          skip-setup-trivy: true
+
+      - name: Upload Trivy results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+
       - name: Set up JDK 21
         uses: actions/setup-java@v4
         with:
           java-version: 21
           distribution: temurin
           cache: maven
 
+
       - name: Setup Maven authentication to GitHub packages
         uses: s4u/maven-settings-action@v3.1.0
         id: maven_settings
diff --git a/pom.xml b/pom.xml
@@ -27,6 +27,8 @@
     <dapla-dlp-pseudo-core.version>2.0.8</dapla-dlp-pseudo-core.version>
     <micronaut.version>4.10.7</micronaut.version>
     <micronaut.openapi.version>6.19.1</micronaut.openapi.version>
+    <micronaut-gcp-version>5.13.0</micronaut-gcp-version>
+    <grpc-netty-shaded-version>1.75.0</grpc-netty-shaded-version>
     <micronaut.validation.version>4.12.0</micronaut.validation.version>
     <auto-service.version>1.1.1</auto-service.version>
     <maven-javadoc-plugin.version>3.11.2</maven-javadoc-plugin.version>
@@ -137,19 +139,20 @@
     <dependency>
       <groupId>io.micronaut.gcp</groupId>
       <artifactId>micronaut-gcp-common</artifactId>
-      <version>5.13.0</version>
+      <version>${micronaut-gcp-version}</version>
       <scope>compile</scope>
     </dependency>
     <dependency>
       <groupId>io.micronaut.gcp</groupId>
       <artifactId>micronaut-gcp-secret-manager</artifactId>
-      <version>5.13.0</version>
+      <version>${micronaut-gcp-version}</version>
     </dependency>
     <dependency>
-      <groupId>com.google.cloud</groupId>
-      <artifactId>google-cloud-secretmanager</artifactId>
-      <version>2.63.0</version>
+      <groupId>io.grpc</groupId>
+      <artifactId>grpc-netty-shaded</artifactId>
+      <version>${grpc-netty-shaded-version}</version>
     </dependency>
+
     <dependency>
       <groupId>com.google.cloud</groupId>
       <artifactId>google-cloud-core</artifactId>
