diff --git a/.github/workflows/trivy-scan.yml b/.github/workflows/trivy-scan.yml
new file mode 100644
index 000000000..5dc50e3ca
--- /dev/null
+++ b/.github/workflows/trivy-scan.yml
@@ -0,0 +1,55 @@
+name: Vulnerability Scan
+
+on:
+ schedule:
+ # run every night at 4:00 AM (UTC)
+ - cron: '0 4 * * *'
+ # enable running the workflow manually
+ workflow_dispatch:
+
+jobs:
+ scan:
+ runs-on: ubuntu-latest
+
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@v3
+
+ - name: Set up Maven
+ uses: stCarolas/setup-maven@v4.5
+ with:
+ maven-version: 3.8.6
+
+ - name: Set up JDK
+ uses: actions/setup-java@v3
+ with:
+ distribution: "adopt"
+ java-version: "11"
+ cache: "maven"
+
+ - name: Create Hawkbit container images
+ run: |
+ mvn clean install -DskipTests -Pdocker
+
+ - name: Determine most recent Trivy version
+ run: |
+ echo "TRIVY_VERSION=$(wget -qO - 'https://api.github.com/repos/aquasecurity/trivy/releases/latest' | \
+ grep '\"tag_name\":' | sed -E 's/.*\"v([^\"]+)\".*/\1/')" >> $GITHUB_ENV
+
+ - name: Install Trivy
+ run: |
+ wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz -O - | tar -zxvf -
+
+ - name: Scan Docker images
+ run: |
+ mkdir -p scans/eclipse/hawkbit
+ for IMAGE in $(docker image ls --format "{{.Repository}}:{{.Tag}}" "hawkbit-*"); do
+ echo "Scanning image ${IMAGE} ..."
+ ./trivy image "${IMAGE}" --ignore-unfixed --severity HIGH,CRITICAL --output "scans/eclipse/hawkbit/$IMAGE.sarif" --format sarif
+ done
+
+ - name: Upload Docker image scan results to GitHub Security tab
+ uses: github/codeql-action/upload-sarif@v2
+ with:
+ sarif_file: 'scans/eclipse/hawkbit'
+ category: "Container Images"
\ No newline at end of file
diff --git a/hawkbit-runtime/hawkbit-update-server/pom.xml b/hawkbit-runtime/hawkbit-update-server/pom.xml
index b3100e396..b75a5dc20 100644
--- a/hawkbit-runtime/hawkbit-update-server/pom.xml
+++ b/hawkbit-runtime/hawkbit-update-server/pom.xml
@@ -19,6 +19,19 @@
hawkbit-update-server
hawkBit :: Runtime :: Update Server
+
+
+ docker
+
+
+
+ io.fabric8
+ docker-maven-plugin
+
+
+
+
+
diff --git a/pom.xml b/pom.xml
index 592470086..4ae9df75e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -168,6 +168,19 @@
+
+ ${project.artifactId}
+ unix:///var/run/docker.sock
+ 0.40.3
+ -Xms600m -Xmx600m -XX:MaxMetaspaceSize=250m -XX:MetaspaceSize=250m -Xss300K
+
+ linux/amd64
+ -XX:+UseG1GC -XX:+UseStringDeduplication -XX:+UseCompressedOops
+ ${docker.memory.size} ${docker.gc.settings} -XX:+HeapDumpOnOutOfMemoryError
+ -XX:+ExitOnOutOfMemoryError -Djava.security.egd=file:/dev/./urandom
+
+ 11.0.15_10-jre-alpine
+
3.3.3
1.11.1
3.9.1
@@ -329,6 +342,67 @@
+
+ io.fabric8
+ docker-maven-plugin
+ ${docker.maven.plugin.version}
+
+ true
+ ${docker.host}
+
+
+ ${docker.repository.name}
+
+ ${docker.repository.name}:${project.version}
+
+
+ eclipse-temurin:${docker.jre.version}
+
+ ${docker.base.image.platform}
+
+
+ latest
+
+
+ docker
+ ${docker.jvm.args}
+
+
+ 8080
+
+
+
+
+
+ target
+ .
+
+ ${project.build.finalName}.jar
+
+ 0644
+ 0755
+ false
+
+
+
+
+
+ java $JAVA_OPTS -jar maven/${project.build.finalName}.jar
+
+
+
+
+
+
+
+ package
+
+ remove
+ build
+
+
+
+
org.apache.maven.plugins
maven-javadoc-plugin