ci: add Trivy CVE scan to container release workflow (#8820)
* ci: add Trivy CVE scan to container release workflow * ci: pin trivy-action version and fail on HIGH/CRITICAL CVEs Address review feedback: - Pin aquasecurity/trivy-action to v0.28.0 instead of @master - Add exit-code: '1' so the scan fails the job on findings - Add comment explaining why only amd64 is scanned * ci: pin trivy-action to SHA for v0.35.0 Tags ≤0.34.2 were compromised (GHSA-69fq-xp46-6x23). Pin to the full commit SHA of v0.35.0 to avoid mutable tag risks.
This commit is contained in:
Chris Lu
42
.github/workflows/container_latest.yml
vendored
42
.github/workflows/container_latest.yml
vendored
@@ -26,6 +26,7 @@ on:
|
|||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
contents: read
|
contents: read
|
||||||
|
security-events: write
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
setup:
|
setup:
|
||||||
@@ -149,9 +150,48 @@ jobs:
|
|||||||
# Remove Go build cache
|
# Remove Go build cache
|
||||||
sudo rm -rf /tmp/go-build*
|
sudo rm -rf /tmp/go-build*
|
||||||
|
|
||||||
create-manifest:
|
trivy-scan:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs: [setup, build]
|
needs: [setup, build]
|
||||||
|
strategy:
|
||||||
|
matrix:
|
||||||
|
variant: ${{ fromJSON(needs.setup.outputs.variants) }}
|
||||||
|
steps:
|
||||||
|
- name: Configure variant
|
||||||
|
id: config
|
||||||
|
run: |
|
||||||
|
if [ "${{ matrix.variant }}" == "large_disk" ]; then
|
||||||
|
echo "tag_suffix=_large_disk" >> $GITHUB_OUTPUT
|
||||||
|
else
|
||||||
|
echo "tag_suffix=" >> $GITHUB_OUTPUT
|
||||||
|
fi
|
||||||
|
- name: Login to GHCR
|
||||||
|
uses: docker/login-action@v4
|
||||||
|
with:
|
||||||
|
registry: ghcr.io
|
||||||
|
username: ${{ secrets.GHCR_USERNAME }}
|
||||||
|
password: ${{ secrets.GHCR_TOKEN }}
|
||||||
|
- name: Run Trivy vulnerability scanner
|
||||||
|
# Pin to SHA — mutable tags were compromised (GHSA-69fq-xp46-6x23)
|
||||||
|
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
|
||||||
|
with:
|
||||||
|
# Scan amd64 only — OS packages are identical across architectures
|
||||||
|
# since they all use the same alpine base, so a single-arch scan
|
||||||
|
# provides sufficient coverage without multiplying CI time.
|
||||||
|
image-ref: ghcr.io/chrislusf/seaweedfs:${{ github.event_name == 'workflow_dispatch' && github.event.inputs.image_tag || 'latest' }}${{ steps.config.outputs.tag_suffix }}-amd64
|
||||||
|
format: sarif
|
||||||
|
output: trivy-results.sarif
|
||||||
|
severity: HIGH,CRITICAL
|
||||||
|
exit-code: '1'
|
||||||
|
- name: Upload Trivy scan results to GitHub Security
|
||||||
|
uses: github/codeql-action/upload-sarif@v3
|
||||||
|
if: always()
|
||||||
|
with:
|
||||||
|
sarif_file: trivy-results.sarif
|
||||||
|
|
||||||
|
create-manifest:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
needs: [setup, build, trivy-scan]
|
||||||
if: github.event_name != 'pull_request'
|
if: github.event_name != 'pull_request'
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
|
|||||||
Reference in New Issue
Block a user