ci/cd: Add security analysis step

2020-09-30 23:07:36 +02:00
parent 1b862039dc
commit 67012ccb2f
2 changed files with 69 additions and 0 deletions
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -88,3 +88,32 @@ jobs:
          cache-to: type=local,dest=${{ env.CACHE_PATH }}
          push: true
          tags: ${{ steps.metadata.outputs.tags }}
+
+  security-analysis:
+    name: Security analysis
+    runs-on: ubuntu-latest
+    needs: publish
+    if: github.event_name == 'release'
+    steps:
+      - name: Prepare metadata
+        id: metadata
+        run: |
+          IMAGE_REF="${IMAGE_NAME}:${GITHUB_REF_NAME:-latest}"
+          echo ::set-output name=image_ref::${IMAGE_REF}
+
+      - name: Import Docker images
+        run: docker pull ${{ steps.metadata.outputs.image_ref }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ steps.metadata.outputs.image_ref }}
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          severity: 'HIGH,CRITICAL'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: 'trivy-results.sarif'