feat: add trivy (#164)

dv-hossam-radwan · puehringer · web-flow · commit ab44fd4b5726 · 2025-06-02T13:24:31.000+02:00
* Update build-docker-artifacts workflow: disable image push and add Trivy vulnerability scanning

* Add Trivy scan results upload step to build workflow

* Update Trivy action output format to table for improved readability

* Update Trivy action to output SARIF format and adjust result file path

* Update Trivy action to use table format and add image push step

* Add Dockerfile path to push image step in build workflow

* Add image scanning step and vulnerability check to build workflow

* Comment out image push step in build workflow

* Uncomment image push step in build workflow

* Set continue-on-error to false for Trivy scan and uncomment Dockerfile path in push image step

* Remove commented-out Trivy scan result upload and adjust Trivy action configuration

* Add Trivy configuration path for vulnerability scanning in build workflow

* Remove Trivy configuration path from vulnerability scan step

* Add Trivy configuration path for vulnerability scanning in build workflow

* Remove Trivy configuration path from vulnerability scan step

* Remove image scanning with aws steps from build workflow

* Add image vulnerability scanning step to build workflow

* Update Trivy action to version 0.30.0 in build workflow

* Update Trivy action to use the main branch in vulnerability scanning step

* chore: update Trivy action to version 0.30.0 in build workflow

* fix: correct Trivy action version format in vulnerability scanner step

* fix: update build-push action to load images instead of outputting type

* test: push image

* fix:  remove image scan by aws steps

* Fix: add if condition for trivy

* Fix: remove MEDIUM from scanning

---------

Co-authored-by: Michael Pühringer &lt;51900829+puehringer@users.noreply.github.com&gt;
diff --git a/.github/workflows/build-docker-artifacts.yml b/.github/workflows/build-docker-artifacts.yml
@@ -208,7 +208,8 @@ jobs:
         with:
           context: .
           file: ${{ matrix.component.flavor_directory }}/${{ matrix.component.directory }}/Dockerfile
-          push: true
+          push: false
+          load: true
           # Disable provenance as it creates weird multi-arch images: https://github.com/docker/build-push-action/issues/755
           provenance: false
           build-args: |
@@ -239,28 +240,32 @@ jobs:
           # https://github.com/docker/build-push-action/issues/1156#issuecomment-2437227730
           DOCKER_BUILD_SUMMARY: false
 
+      - name: Run Trivy vulnerability scanner
+        if: ${{ inputs.skip_image_scan != true && fromJson(vars.SKIP_IMAGE_SCAN || 'false') != true && matrix.component.skip_image_scan != true }}
+        uses: aquasecurity/trivy-action@0.30.0
+        with:
+          image-ref: ${{ vars.DV_AWS_ECR_REGISTRY }}/${{ matrix.component.ecr_repository }}:${{ matrix.component.image_tag }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: false
+          vuln-type: 'os,library'
+          severity: 'HIGH,CRITICAL'
+        continue-on-error: false 
+
+      - name: Push image
+        uses: docker/build-push-action@v6
+        with:
+          file: ${{ matrix.component.flavor_directory }}/${{ matrix.component.directory }}/Dockerfile
+          push: true
+          provenance: false
+          context: .
+          tags: |
+            ${{ vars.DV_AWS_ECR_REGISTRY }}/${{ matrix.component.ecr_repository }}:${{ matrix.component.image_tag }}
+
       - name: Log out from Amazon ECR
         shell: bash
         run: docker logout ${{ steps.login-ecr.outputs.registry }}
 
-      - name: Scan image
-        if: ${{ inputs.skip_image_scan != true && fromJson(vars.SKIP_IMAGE_SCAN || 'false') != true && matrix.component.skip_image_scan != true }}
-        id: get-ecr-scan-result
-        uses: ./tmp/github-workflows/.github/actions/get-ecr-scan-result
-        with:
-          aws_role: ${{ vars.DV_AWS_ECR_ROLE }}
-          aws_region: ${{ vars.DV_AWS_REGION }}
-          ecr_registry: ${{ vars.DV_AWS_ECR_REGISTRY }}
-          ecr_repository: ${{ matrix.component.ecr_repository }}
-          image_tag: ${{ matrix.component.image_tag }}
-      - name: Check scan results
-        if: ${{ inputs.skip_image_scan != true && fromJson(vars.SKIP_IMAGE_SCAN || 'false') != true && matrix.component.skip_image_scan != true }}
-        run: |
-          if [ "${{ steps.get-ecr-scan-result.outputs.critical }}" != "null" ] || [ "${{ steps.get-ecr-scan-result.outputs.high }}" != "null" ]; then
-            echo "Docker image contains vulnerabilities at critical or high level"
-            exit 1  #exit execution due to docker image vulnerabilities
-          fi
-
   retag-images:
     name: Retag images of flavor ${{ matrix.flavor || 'default' }}
     needs: [get-flavors, build-flavors]
