third/plugin-drone-jenkins
1
0
Fork 0
mirror of https://github.com/appleboy/drone-jenkins.git synced 2026-06-04 10:15:02 +08:00
Code Issues Packages Projects Releases Wiki Activity

ci: standardize Trivy security scanning workflows

Browse Source 
- Add Trivy image scan job to trivy.yml alongside existing repo scan
- Add Trivy image scan step in docker.yml before pushing Docker image
- Add security-events permission for SARIF upload
This commit is contained in:
Bo-Yi Wu
2026-04-16 18:10:08 +08:00
parent 5d50e1e745
commit c773b54f0e
2 changed files with 81 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/docker.yml
+30
View File
@@ -10,6 +10,11 @@ on:
branches:
- "master"
permissions:
contents: read
packages: write
security-events: write
jobs:
build-docker:
runs-on: ubuntu-latest
@@ -53,6 +58,31 @@ jobs:
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
- name: Build image for scanning
uses: docker/build-push-action@v7
with:
context: .
file: docker/Dockerfile
platforms: linux/amd64
push: false
load: true
tags: drone-jenkins:scan
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@v0.35.0
with:
image-ref: "drone-jenkins:scan"
format: "sarif"
output: "trivy-image-results.sarif"
severity: "CRITICAL,HIGH"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: "trivy-image-results.sarif"
category: "trivy-docker-image"
- name: Build and push
uses: docker/build-push-action@v7
with:
.github/workflows/trivy.yml
+51 -22
View File
@@ -10,47 +10,76 @@ on:
schedule:
# Run daily at 00:00 UTC
- cron: "0 0 * * *"
workflow_dispatch: # Allow manual trigger
workflow_dispatch:
permissions:
contents: read
security-events: write # Required for uploading SARIF results
security-events: write
jobs:
trivy-scan:
name: Trivy Security Scan
trivy-repo-scan:
name: Trivy Repository Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
- name: Checkout repository
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Run Trivy vulnerability scanner (source code)
- name: Run Trivy vulnerability scanner (repo)
uses: aquasecurity/trivy-action@v0.35.0
with:
scan-type: "fs"
scan-ref: "."
scanners: "vuln,secret,misconfig"
format: "sarif"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH,MEDIUM"
ignore-unfixed: true
output: "trivy-repo-results.sarif"
severity: "CRITICAL,HIGH"
- name: Upload Trivy results to GitHub Security tab
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: "trivy-results.sarif"
sarif_file: "trivy-repo-results.sarif"
- name: Run Trivy scanner (table output for logs)
trivy-image-scan:
name: Trivy Image Scan
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Setup go
uses: actions/setup-go@v6
with:
go-version-file: go.mod
check-latest: true
- name: Build binary
run: |
make build_linux_amd64
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Build Docker image for scanning
uses: docker/build-push-action@v7
with:
context: .
file: docker/Dockerfile
platforms: linux/amd64
push: false
load: true
tags: drone-jenkins:scan
- name: Run Trivy vulnerability scanner (image)
uses: aquasecurity/trivy-action@v0.35.0
with:
image-ref: "drone-jenkins:scan"
format: "sarif"
output: "trivy-image-results.sarif"
severity: "CRITICAL,HIGH"
- name: Upload Trivy image scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
scan-type: "fs"
scan-ref: "."
scanners: "vuln,secret,misconfig"
format: "table"
severity: "CRITICAL,HIGH,MEDIUM"
ignore-unfixed: true
exit-code: "1"
sarif_file: "trivy-image-results.sarif"
category: "trivy-image"