add trivvy scan

wmo-im · Nov 1, 2024 · 2a32dd0 · 2a32dd0
1 parent 56f5bcf
commit 2a32dd0
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 2 deletions.
diff --git a/.github/workflows/trivvy.yml b/.github/workflows/trivvy.yml
@@ -0,0 +1,24 @@
+name: Run Trivy vulnerability scanner
+
+
+on: [ push ]
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Build wis2box-management
+        run: |
+          docker build -t dim_eccodes_baseimage:test .
+      - name: Run Trivy vulnerability scanner on dim_eccodes_baseimage:test
+        if: always()
+        uses: aquasecurity/[email protected]
+        with:
+          image-ref: dim_eccodes_baseimage:test
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
diff --git a/Dockerfile b/Dockerfile
@@ -21,7 +21,7 @@
 
 FROM ubuntu:jammy
 
-ARG BUILD_PACKAGES="build-essential cmake gfortran" \
+ARG BUILD_PACKAGES="build-essential cmake gfortran python3-dev linux-libc-dev" \
     ECCODES_VER=2.36.0
 
 ENV DEBIAN_FRONTEND="noninteractive" \
@@ -33,7 +33,7 @@ WORKDIR /tmp/eccodes
 
 RUN echo "Acquire::Check-Valid-Until \"false\";\nAcquire::Check-Date \"false\";" | cat > /etc/apt/apt.conf.d/10no--check-valid-until \
     && apt-get update -y \
-    && apt-get install -y ${BUILD_PACKAGES} python3 python3-pip python3-dev curl \
+    && apt-get install -y ${BUILD_PACKAGES} python3 python3-pip curl \
     && curl https://confluence.ecmwf.int/download/attachments/45757960/eccodes-${ECCODES_VER}-Source.tar.gz --output eccodes-${ECCODES_VER}-Source.tar.gz \
     && tar xzf eccodes-${ECCODES_VER}-Source.tar.gz \
     && mkdir build && cd build && cmake -DCMAKE_INSTALL_PREFIX=${ECCODES_DIR} -DENABLE_AEC=OFF ../eccodes-${ECCODES_VER}-Source && make && ctest && make install # \