feat(ci): add trivy-scan to workflow

jsjoeio · jsjoeio · commit 7cc821ed39e9 · 2021-04-29T14:48:51.000-07:00
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -406,3 +406,51 @@ jobs:
         with:
           name: release-images
           path: ./release-images
+
+  trivy-scan:
+    runs-on: ubuntu-20.04
+    needs: package-linux-arm64
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Download release package
+        uses: actions/download-artifact@v2
+        with:
+          name: release-packages
+          path: ./release-packages
+
+      - name: Build Docker image
+        run: ./ci/steps/build-docker-image.sh
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: "fs"
+          ignore-unfixed: true
+          format: "template"
+          template: "@/contrib/sarif.tpl"
+          output: "trivy-repo-results.sarif"
+          severity: "CRITICAL"
+
+      - name: Run Trivy vulnerability scanner in image mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: "codercom/code-server:${{ github.sha }}"
+          scan-type: "image"
+          ignore-unfixed: true
+          format: "template"
+          template: "@/contrib/sarif.tpl"
+          output: "trivy-image-results.sarif"
+          severity: "CRITICAL"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: "trivy-repo-results.sarif"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: "trivy-image-results.sarif"
