build: Add flow with Trivy

extenda · SnigL · Jan 14, 2025 · Jan 14, 2025 · Jan 14, 2025 · Jan 14, 2025
commit ad581a5cbfacea26eb404531e3d6a19bbc7b5b0b
diff --git a/generic/vulnerability-scan/README.md b/generic/vulnerability-scan/README.md
@@ -0,0 +1,19 @@
+# Vulnerability Scanning Composite Action
+
+Runs a vulnerability scan using [Trivy](https://github.com/aquasecurity/trivy-action) on the supplied Docker image. The action will fail if any Critical issues are found.
+
+## Usage
+
+```yaml
+env:
+  IMAGE: eu.gcr.io/extenda/hiiretail-service
+
+jobs:
+  ...
+  vulnerability-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: extenda/shared-workflows/generic/vulnerability-scan@build/add-trivy-workflow
+        with:
+          docker-image: ${{ env.IMAGE }}:${{ github.sha }}
+```
diff --git a/generic/vulnerability-scan/action.yaml b/generic/vulnerability-scan/action.yaml
@@ -0,0 +1,25 @@
+name: vulnerability-scan
+description: Runs a vulnerability scan on the built image
+inputs:
+  docker-image:
+    description: The docker image
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+
+    - name: Build image
+      shell: bash
+      run: docker build -t ${{ inputs.docker-image }} .
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/[email protected]
+      with:
+        image-ref: ${{ inputs.docker-image }}
+        format: 'table'
+        severity: 'CRITICAL'
+        exit-code: '1'