Merge pull request #75 from mgarciaLKS/trivy-update

matbmoser · web-flow · commit e70e560802bd · 2025-03-03T16:10:22.000+01:00
update: add frontend to trivy
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -29,8 +29,7 @@ on:
 env:
   IMAGE_NAMESPACE: 'tractusx'
   ICHUB_BACKEND_IMAGE_NAME: "ichub-backend"
-  DATASPACE_SDK_IMAGE_NAME: "dataspace-sdk"
-  INDUSTRY_SDK_IMAGE_NAME: "industry-sdk"
+  ICHUB_FRONTEND_IMAGE_NAME: "ichub-frontend"
 
 jobs:
   analyze-ichub-backend:
@@ -67,3 +66,38 @@ jobs:
         if: always()
         with:
           sarif_file: "trivy-results-ichub-backend.sarif"
+
+  analyze-ichub-frontend:
+      name: Analyze ICHub Frontend
+      runs-on: ubuntu-latest
+      permissions:
+        actions: read
+        contents: read
+        security-events: write
+
+      steps:
+        - name: Checkout repository
+          uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+        - name: Build ichub-frontend Docker image
+          id: build-docker-ichub-frontend
+          run: |
+              cd ichub-frontend
+              docker build -t ${{ env.IMAGE_NAMESPACE }}/${{ env.ICHUB_FRONTEND_IMAGE_NAME }}:latest .
+
+        - name: Run Trivy vulnerability scanner
+          uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
+          with:
+            image-ref: "${{ env.IMAGE_NAMESPACE }}/${{ env.ICHUB_FRONTEND_IMAGE_NAME }}:latest" # Pull image from Docker Hub and run Trivy vulnerability scanner
+            format: "sarif"
+            output: "trivy-results-ichub-frontend.sarif"
+            severity: "CRITICAL,HIGH" # While vulnerabilities of all severities are reported in the SARIF output, the exit code and workflow failure are triggered only by these specified severities (CRITICAL or HIGH).
+            hide-progress: false
+            exit-code: "1" # Trivy exits with code 1 if vulnerabilities are found, causing the workflow step to fail.
+            limit-severities-for-sarif: true
+
+        - name: Upload Trivy scan results to GitHub Security tab
+          uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+          if: always()
+          with:
+            sarif_file: "trivy-results-ichub-frontend.sarif"
