trivy image scan #18
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: trivy image scan | |
| on: | |
| push: | |
| branches: | |
| - "**" | |
| schedule: | |
| - cron: '0 16 * * 1' # Run every Monday at 8:00 Pacific (16:00 UTC) | |
| env: | |
| DOCKER_BUILDX_PLATFORMS: linux/amd64 | |
| jobs: | |
| image-scan: | |
| name: Image Scan | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - id: buildx-setup | |
| name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| with: | |
| platforms: linux/amd64 # Load in the following step supports only one image and linux/amd64 is fine for scanning | |
| - name: Build | |
| run: | | |
| make build-extension TAG=${{ github.sha }} | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # v0.30.0 | |
| with: | |
| image-ref: ngrok/ngrok-docker-extension:${{ github.sha }} | |
| severity: 'CRITICAL,HIGH' | |
| exit-code: '1' # fail job on HIGH/CRITICAL vulns | |
| format: 'table' # Show vulnerabilities in CI logs |