From 09ccf73bb5fe8ac2bf665c8a61980d0b7137e4f7 Mon Sep 17 00:00:00 2001
From: Syndamia <kamen@syndamia.com>
Date: Tue, 13 Aug 2024 14:55:25 +0300
Subject: feat(cd*): Added trivy scanning

---
 .github/workflows/cd.yml | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

(limited to '.github/workflows/cd.yml')

diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index 2419fe2..221acc2 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -22,10 +22,27 @@ jobs:
           file: ./docker/prod/Dockerfile
           tags: ${{ secrets.DOCKERHUB_USERNAME }}/pico-web-server:latest
 
+  Test-Trivy:
+    name: Scan development docker container with trivy
+    runs-on: ubuntu-latest
+    needs: Build-docker-and-push
+    steps:
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.20.0
+        with:
+          image-ref: 'docker.io/${{ secrets.DOCKERHUB_USERNAME }}/pico-web:latest'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+
   Release:
     name: Make github release
     runs-on: ubuntu-latest
-    needs: Build-docker-and-push
+    needs: Test-Trivy
     steps:
       - uses: actions/checkout@v4
       - uses: rymndhng/release-on-push-action@master
@@ -38,7 +55,7 @@ jobs:
   Deploy-kubernetes:
     name: Deploy kubernetes cluster locally to an action
     runs-on: ubuntu-latest
-    needs: Build-docker-and-push
+    needs: Test-Trivy
     steps:
       # Setup dependencies
       - name: Install socat
-- 
cgit v1.2.3