Skip to content

Add trivy scanner

Add trivy scanner #8

name: Build and test Package
on:
push:
schedule:
- cron: '30 5 * * *'
workflow_dispatch:
inputs:
ref:
description: "Commit hash"
default: ""
jobs:
build:
runs-on: ubuntu-latest
container: amazonlinux:2
strategy:
matrix:
build_type: [debug, relwithdebinfo]
steps:
- name: Set up Dev Environment
run: |
yum groupinstall -y "Development Tools"
yum install -y cmake3 valgrind git
- uses: actions/checkout@v3
with:
ref: ${{inputs.ref}}
- name: Build and Test
run: |
cmake3 -S . -B build -DCMAKE_BUILD_TYPE=${{matrix.build_type}}
cd build
make package
make test
- name: Generate Trivy vulnerability scan report
uses: aquasecurity/[email protected]
with:
scan-type: 'fs'
format: 'sarif'
exit-code: '0'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
output: 'trivy-results.sarif'
hide-progress: true
- name: Upload Trivy scan report to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
- name: Test with Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
scan-type: 'fs'
format: 'table'
exit-code: '1'
ignore-unfixed: true
severity: 'CRITICAL'
hide-progress: true