Add CI job to scan container

gaggle · gaggle · commit 6ae2b1fdc224 · 2023-10-21T11:23:46.000+02:00
diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml
@@ -34,6 +34,26 @@ jobs:
           build-file: .github/Dockerfile
           build-context: .
 
+  vulnerability-scanner:
+    needs: [ build ]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: ./.github/actions/load-tar-image
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.IMAGE_NAME }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          exit-code: '1'
+          severity: 'MEDIUM,HIGH,CRITICAL'
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: 'trivy-results.sarif'
+
   e2e-tests:
     needs: [ build ]
     strategy:
@@ -61,8 +81,8 @@ jobs:
           expected: ${{ matrix.data.expected }}
 
   push:
+    needs: [ version, build, e2e-tests, vulnerability-scanner ]
     runs-on: ubuntu-latest
-    needs: [ version, build, e2e-tests ]
     name: ${{ needs.version.outputs.releasable == 'true' && 'push' || 'push (dry-run)' }}
     permissions:
       packages: write
