ci/cd: Add security analysis step

2020-09-30 23:07:36 +02:00
parent 1b862039dc
commit 67012ccb2f
2 changed files with 69 additions and 0 deletions
--- a/.github/workflows/build-and-test.yml
+++ b/.github/workflows/build-and-test.yml
@@ -113,3 +113,43 @@ jobs:
        run: |
          docker stop saltstack_master registry
          docker image rm ${IMAGE_NAME}
+
+  security-analysis:
+    name: Security analysis
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Download Docker registry data from build job
+        uses: actions/download-artifact@v2
+        with:
+          name: docker-registry-data
+          path: ${{ env.REGISTRY_PATH }}
+
+      - name: Enable Docker experimental
+        run: |
+          # Enable docker daemon experimental support.
+          echo '{"experimental": true}' | sudo tee /etc/docker/daemon.json
+          sudo systemctl restart docker
+          # Install QEMU multi-architecture support for docker buildx.
+          docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
+
+      - name: Start Docker registry
+        run: |
+          docker run -d -p 5000:5000 -v ${REGISTRY_PATH}:/var/lib/registry --name registry registry:2
+
+      - name: Import Docker images
+        run: docker pull --platform linux/amd64 ${IMAGE_NAME}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.IMAGE_NAME }}
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          severity: 'HIGH,CRITICAL'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: 'trivy-results.sarif'