From d7493e77f5ea82c1d0f50af0e495c286cceb7c0a Mon Sep 17 00:00:00 2001 From: Bo-Yi Wu Date: Thu, 16 Apr 2026 23:00:58 +0800 Subject: [PATCH] ci: add trivy workflow and gate docker push on image scan --- .github/workflows/docker.yml | 31 +++++++++++++ .github/workflows/trivy.yml | 84 ++++++++++++++++++++++++++++++++++++ 2 files changed, 115 insertions(+) create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 5f51522..8ad8276 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -10,6 +10,11 @@ on: branches: - "master" +permissions: + contents: read + packages: write + security-events: write + jobs: build-docker: runs-on: ubuntu-latest @@ -60,6 +65,32 @@ jobs: type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} + - name: Build image for scanning + uses: docker/build-push-action@v7 + with: + context: . + file: docker/Dockerfile + platforms: linux/amd64 + push: false + load: true + tags: drone-discord:scan + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@v0.35.0 + with: + image-ref: "drone-discord:scan" + format: "sarif" + output: "trivy-image-results.sarif" + severity: "CRITICAL,HIGH" + exit-code: '1' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v4 + if: always() + with: + sarif_file: "trivy-image-results.sarif" + category: "trivy-docker-image" + - name: Build and push uses: docker/build-push-action@v7 with: diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000..b2349e7 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,84 @@ +name: Trivy Security Scan + +on: + push: + branches: + - master + pull_request: + branches: + - master + schedule: + - cron: "0 0 * * *" + workflow_dispatch: + +permissions: + contents: read + security-events: write + +jobs: + trivy-repo-scan: + name: Trivy Repository Scan + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v6 + + - name: Run Trivy vulnerability scanner (repo) + uses: aquasecurity/trivy-action@v0.35.0 + with: + scan-type: "fs" + scan-ref: "." + format: "sarif" + output: "trivy-repo-results.sarif" + severity: "CRITICAL,HIGH" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v4 + if: always() + with: + sarif_file: "trivy-repo-results.sarif" + + trivy-image-scan: + name: Trivy Image Scan + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v6 + + - name: Setup go + uses: actions/setup-go@v6 + with: + go-version-file: go.mod + check-latest: true + + - name: Build binary + run: | + make build_linux_amd64 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v4 + + - name: Build Docker image for scanning + uses: docker/build-push-action@v7 + with: + context: . + file: docker/Dockerfile + platforms: linux/amd64 + push: false + load: true + tags: drone-discord:scan + + - name: Run Trivy vulnerability scanner (image) + uses: aquasecurity/trivy-action@v0.35.0 + with: + image-ref: "drone-discord:scan" + format: "sarif" + output: "trivy-image-results.sarif" + severity: "CRITICAL,HIGH" + + - name: Upload Trivy image scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v4 + if: always() + with: + sarif_file: "trivy-image-results.sarif" + category: "trivy-image"