Add trivy scan

hyness · hyness · commit 674990745f6e · 2024-08-19T08:32:02.000-07:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -90,3 +90,26 @@ jobs:
           -PimageRegistry=${{ needs.build-vars.outputs.registry }}
           -PjdkVersion=${{ needs.build-vars.outputs.jvm-version }}
           -PimageTag=${{ needs.sha-tag.outputs.tag }}
+
+  vulnerability-scan:
+    name: Scan for vulnerabilities
+    runs-on: ubuntu-latest
+    needs:
+      - build-vars
+      - sha-tag
+    steps:
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.20.0
+        with:
+          image-ref: ${{ needs.build-vars.outputs.registry }}/${{ github.repository }}:${{ needs.sha-tag.outputs.tag }}
+          format: table
+          exit-code: 1
+          ignore-unfixed: true
+          vuln-type: os,library
+          severity: CRITICAL,HIGH
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif
