@@ -406,3 +406,59 @@ jobs:
406406 with :
407407 name : release-images
408408 path : ./release-images
409+
410+ trivy-scan-image :
411+ runs-on : ubuntu-20.04
412+ needs : docker-amd64
413+
414+ steps :
415+ - name : Checkout code
416+ uses : actions/checkout@v2
417+
418+ - name : Download release images
419+ uses : actions/download-artifact@v2
420+ with :
421+ name : release-images
422+ path : ./release-images
423+
424+ - name : Run Trivy vulnerability scanner in image mode
425+ uses : aquasecurity/trivy-action@v0.0.14
426+ with :
427+ input : " ./release-images/code-server-amd64-*.tar"
428+ scan-type : " image"
429+ ignore-unfixed : true
430+ format : " template"
431+ template : " @/contrib/sarif.tpl"
432+ output : " trivy-image-results.sarif"
433+ severity : " HIGH,CRITICAL"
434+
435+ - name : Upload Trivy scan results to GitHub Security tab
436+ uses : github/codeql-action/upload-sarif@v1
437+ with :
438+ sarif_file : " trivy-image-results.sarif"
439+
440+ # We have to use two trivy jobs
441+ # because GitHub only allows
442+ # codeql/upload-sarif action per job
443+ trivy-scan-repo :
444+ runs-on : ubuntu-20.04
445+
446+ steps :
447+ - name : Checkout code
448+ uses : actions/checkout@v2
449+
450+ - name : Run Trivy vulnerability scanner in repo mode
451+ uses : aquasecurity/trivy-action@v0.0.14
452+ with :
453+ scan-type : " fs"
454+ scan-ref : " ."
455+ ignore-unfixed : true
456+ format : " template"
457+ template : " @/contrib/sarif.tpl"
458+ output : " trivy-repo-results.sarif"
459+ severity : " HIGH,CRITICAL"
460+
461+ - name : Upload Trivy scan results to GitHub Security tab
462+ uses : github/codeql-action/upload-sarif@v1
463+ with :
464+ sarif_file : " trivy-repo-results.sarif"
0 commit comments