From 8de47eae5b3a565a13c908af0c9d72eb583485e7 Mon Sep 17 00:00:00 2001 From: Gian Miguel Del Mundo Date: Fri, 26 Apr 2024 12:13:29 +0800 Subject: [PATCH 1/2] Added vuln scan step during build pipeline --- .github/workflows/build.yml | 7 +++++++ .trivyignore | 5 +++++ 2 files changed, 12 insertions(+) create mode 100644 .trivyignore diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 55ba232..2dabef7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -29,6 +29,13 @@ jobs: - name: Build and run tests run: ./gradlew build + - name: Vulnerability Scan + uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan_filesystem@v2 + with: + scan_severity: HIGH,CRITICAL + failure_severity: CRITICAL,HIGH + publish_vulnerabilities: true + - name: Deploy SNAPSHOT to Maven Central if: github.event_name == 'push' && github.ref == 'refs/heads/main' run: ./gradlew publish --stacktrace diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..6ac5cb7 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,5 @@ +# List any vulnerability that are to be accepted +# See https://aquasecurity.github.io/trivy/v0.35/docs/vulnerability/examples/filter/ +# for more details +# e.g. +# CVE-2022-3996 From fa7e5d9aafa0807b2346f81b49288000969cea56 Mon Sep 17 00:00:00 2001 From: Gian Miguel Del Mundo Date: Fri, 26 Apr 2024 15:22:44 +0800 Subject: [PATCH 2/2] Changed vuln scan to use default args --- .github/workflows/build.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 2dabef7..ac75f5a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -31,10 +31,6 @@ jobs: - name: Vulnerability Scan uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan_filesystem@v2 - with: - scan_severity: HIGH,CRITICAL - failure_severity: CRITICAL,HIGH - publish_vulnerabilities: true - name: Deploy SNAPSHOT to Maven Central if: github.event_name == 'push' && github.ref == 'refs/heads/main'