From 821db276bc7af4f887b7dfda21b045545cb3a528 Mon Sep 17 00:00:00 2001 From: Laurent Bossavit Date: Tue, 5 Nov 2024 15:00:38 +0100 Subject: [PATCH] =?UTF-8?q?=E2=9C=A8(ci)=20add=20security=20scan?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Separate security scan from build-and-push, so we can make it optional in CI --- .github/workflows/docker-hub.yml | 36 ++++++++++++++++++++++++++------ 1 file changed, 30 insertions(+), 6 deletions(-) diff --git a/.github/workflows/docker-hub.yml b/.github/workflows/docker-hub.yml index 81a3c01..28b4cc6 100644 --- a/.github/workflows/docker-hub.yml +++ b/.github/workflows/docker-hub.yml @@ -16,6 +16,36 @@ env: DOCKER_USER: 1001:127 jobs: + trivy-scan: + runs-on: ubuntu-latest + steps: + - + uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ secrets.APP_ID }} + private-key: ${{ secrets.PRIVATE_KEY }} + owner: ${{ github.repository_owner }} + repositories: "people,secrets" + - + name: Checkout repository + uses: actions/checkout@v2 + with: + submodules: recursive + token: ${{ steps.app-token.outputs.token }} + - + name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: lasuite/people-backend + - + name: Run trivy scan + uses: numerique-gouv/action-trivy-cache@main + with: + docker-build-args: '--target backend-production -f Dockerfile' + docker-image-name: 'docker.io/lasuite/people-backend:${{ github.sha }}' + build-and-push-backend: runs-on: ubuntu-latest steps: @@ -49,12 +79,6 @@ jobs: name: Login to DockerHub if: github.event_name != 'pull_request' run: echo "$DOCKER_HUB_PASSWORD" | docker login -u "$DOCKER_HUB_USER" --password-stdin - - - name: Run trivy scan - uses: numerique-gouv/action-trivy-cache@main - with: - docker-build-args: '--target backend-production -f Dockerfile' - docker-image-name: 'docker.io/lasuite/people-backend:${{ github.sha }}' - name: Build and push uses: docker/build-push-action@v6