lingwei.kong/hawkbit
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
b3c5bb6c455ee301c3c51d00c8f671959a87fb2f
hawkbit/.github/workflows/reusable_workflow_trivy-scan.yaml
dependabot[bot] f43935edfc Bump actions/checkout from 6.0.2 to 6.0.3 (#3112) 
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2 to 6.0.3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v6.0.2...v6.0.3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-06-03 08:40:53 +03:00

167 lines
5.9 KiB
YAML
Raw Blame History

name: Trivy Scan (Reusable Workflow)
on:
workflow_call:
inputs:
ref:
description: 'The branch, tag or SHA to checkout, e.g. master'
type: string
default: 'master'
upload:
description: 'If to upload the scan results, e.g. true or false'
type: boolean
default: false
permissions:
contents: read
# needed for trivy scans upload
security-events: write
jobs:
trivy-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v6.0.3
with:
ref: ${{ inputs.ref }}
- name: Get checked-out SHA
id: get-sha
run: echo "sha=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
- name: Set up JDK
uses: actions/setup-java@v5.2.0
with:
distribution: "temurin"
java-version: 21
cache: "maven"
- name: Create hawkBit container images
run: |
mvn clean install -DskipTests -DskipJavadoc && \
cd docker/build && \
chmod +x build_dev.sh && \
./build_dev.sh && \
cd ../../..
- name: Create scan output directory
run: mkdir -p scans
- name: Scan hawkbit-ddi-server
uses: aquasecurity/trivy-action@v0.36.0
with:
image-ref: 'hawkbit/hawkbit-ddi-server:latest'
ignore-unfixed: true
trivyignores: .github/workflows/.trivyignore
severity: 'HIGH,CRITICAL'
vuln-type: 'library'
format: 'sarif'
output: 'scans/hawkbit-ddi-server.sarif'
- name: Scan hawkbit-dmf-server
uses: aquasecurity/trivy-action@v0.36.0
with:
image-ref: 'hawkbit/hawkbit-dmf-server:latest'
ignore-unfixed: true
trivyignores: .github/workflows/.trivyignore
severity: 'HIGH,CRITICAL'
vuln-type: 'library'
format: 'sarif'
output: 'scans/hawkbit-dmf-server.sarif'
- name: Scan hawkbit-mgmt-server
uses: aquasecurity/trivy-action@v0.36.0
with:
image-ref: 'hawkbit/hawkbit-mgmt-server:latest'
ignore-unfixed: true
trivyignores: .github/workflows/.trivyignore
severity: 'HIGH,CRITICAL'
vuln-type: 'library'
format: 'sarif'
output: 'scans/hawkbit-mgmt-server.sarif'
- name: Scan hawkbit-ui
uses: aquasecurity/trivy-action@v0.36.0
with:
image-ref: 'hawkbit/hawkbit-ui:latest'
ignore-unfixed: true
trivyignores: .github/workflows/.trivyignore
severity: 'HIGH,CRITICAL'
vuln-type: 'library'
format: 'sarif'
output: 'scans/hawkbit-ui.sarif'
- name: Scan hawkbit-update-server
uses: aquasecurity/trivy-action@v0.36.0
with:
image-ref: 'hawkbit/hawkbit-update-server:latest'
ignore-unfixed: true
trivyignores: .github/workflows/.trivyignore
severity: 'HIGH,CRITICAL'
vuln-type: 'library'
format: 'sarif'
output: 'scans/hawkbit-update-server.sarif'
- name: Scan hawkbit-repository-jpa-init
uses: aquasecurity/trivy-action@v0.36.0
with:
image-ref: 'hawkbit/hawkbit-repository-jpa-init:latest'
ignore-unfixed: true
trivyignores: .github/workflows/.trivyignore
severity: 'HIGH,CRITICAL'
vuln-type: 'library'
format: 'sarif'
output: 'scans/hawkbit-repository-jpa-init.sarif'
- name: Upload Docker image scan results to GitHub Security tab hawkbit-ddi-server
if: ${{ inputs.upload }}
uses: github/codeql-action/upload-sarif@v4.35.1
with:
ref: refs/heads/${{ inputs.ref }}
sha: ${{ steps.get-sha.outputs.sha }}
sarif_file: 'scans/hawkbit-ddi-server.sarif'
category: "Container Images (hawkbit-ddi-server) [${{ inputs.ref }}]"
- name: Upload Docker image scan results to GitHub Security tab hawkbit-dmf-server
if: ${{ inputs.upload }}
uses: github/codeql-action/upload-sarif@v4.35.1
with:
ref: refs/heads/${{ inputs.ref }}
sha: ${{ steps.get-sha.outputs.sha }}
sarif_file: 'scans/hawkbit-dmf-server.sarif'
category: "Container Images (hawkbit-dmf-server) [${{ inputs.ref }}]"
- name: Upload Docker image scan results to GitHub Security tab hawkbit-mgmt-server
if: ${{ inputs.upload }}
uses: github/codeql-action/upload-sarif@v4.35.1
with:
ref: refs/heads/${{ inputs.ref }}
sha: ${{ steps.get-sha.outputs.sha }}
sarif_file: 'scans/hawkbit-mgmt-server.sarif'
category: "Container Images (hawkbit-mgmt-server) [${{ inputs.ref }}]"
- name: Upload Docker image scan results to GitHub Security tab hawkbit-ui
if: ${{ inputs.upload }}
uses: github/codeql-action/upload-sarif@v4.35.1
with:
ref: refs/heads/${{ inputs.ref }}
sha: ${{ steps.get-sha.outputs.sha }}
sarif_file: 'scans/hawkbit-ui.sarif'
category: "Container Images (hawkbit-ui) [${{ inputs.ref }}]"
- name: Upload Docker image scan results to GitHub Security tab hawkbit-update-server
if: ${{ inputs.upload }}
uses: github/codeql-action/upload-sarif@v4.35.1
with:
ref: refs/heads/${{ inputs.ref }}
sha: ${{ steps.get-sha.outputs.sha }}
sarif_file: 'scans/hawkbit-update-server.sarif'
category: "Container Images (hawkbit-update-server) [${{ inputs.ref }}]"
- name: Upload Docker image scan results to GitHub Security tab hawkbit-repository-jpa-init
if: ${{ inputs.upload }}
uses: github/codeql-action/upload-sarif@v4.35.1
with:
ref: refs/heads/${{ inputs.ref }}
sha: ${{ steps.get-sha.outputs.sha }}
sarif_file: 'scans/hawkbit-repository-jpa-init.sarif'
category: "Container Images (hawkbit-repository-jpa-init) [${{ inputs.ref }}]"
Reference in New Issue View Git Blame Copy Permalink