lingwei.kong/hawkbit
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
f9d0e39e6be4805906a2c1a3a86c2b5fd0dc214a
hawkbit/.github/workflows/reusable_workflow_trivy-scan.yaml
dependabot[bot] 222ca5c826 Bump github/codeql-action from 3 to 4 (#2729) 
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3 to 4.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/v3...v4)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: '4'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-10-09 11:08:06 +03:00

102 lines
4.0 KiB
YAML
Raw Blame History

name: Trivy Scan (Reusable Workflow)
on:
workflow_call:
inputs:
ref:
description: 'The branch, tag or SHA to checkout, e.g. master'
type: string
default: 'master'
upload:
description: 'If to upload the scan results, e.g. true or false'
type: boolean
default: false
jobs:
trivy-scan:
runs-on: ubuntu-latest
permissions:
contents: read
# needed for trivy scans upload
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v5
with:
ref: ${{ inputs.ref }}
- name: Set up JDK
uses: actions/setup-java@v5
with:
distribution: "temurin"
java-version: 21
cache: "maven"
- name: Create hawkBit container images
run: |
mvn clean install -DskipTests -DskipJavadoc && \
cd docker/build && \
chmod +x build_dev.sh && \
./build_dev.sh && \
cd ../../..
- name: Determine most recent Trivy version
run: |
echo "TRIVY_VERSION=$(wget -qO - 'https://api.github.com/repos/aquasecurity/trivy/releases/latest' | \
grep '\"tag_name\":' | sed -E 's/.*\"v([^\"]+)\".*/\1/')" >> $GITHUB_ENV
- name: Install Trivy
run: |
wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz -O - | tar -zxvf -
- name: Scan Docker images
run: |
mkdir -p scans/eclipse-hawkbit/hawkbit
for IMAGE in $(docker image ls --format "{{.Repository}}:{{.Tag}}" "hawkbit/hawkbit-*:latest"); do
echo "Scanning image ${IMAGE} ..."
./trivy image "${IMAGE}" --ignore-unfixed --ignorefile .github/workflows/.trivyignore --severity HIGH,CRITICAL --vuln-type library --output "scans/eclipse-hawkbit/${IMAGE}.sarif" --format sarif
done
- name: Check if to upload scan results
run: |
if [ "${{ inputs.upload }}" = "true" ]; then
echo "Uploading scan results..."
else
echo "Skipping upload of scan results."
exit 0
fi
- name: Upload Docker image scan results to GitHub Security tab hawkbit-ddi-server
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-ddi-server:latest.sarif'
category: "Container Images (hawkbit-ddi-server)"
- name: Upload Docker image scan results to GitHub Security tab hawkbit-dmf-server
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-dmf-server:latest.sarif'
category: "Container Images (hawkbit-dmf-server)"
- name: Upload Docker image scan results to GitHub Security tab hawkbit-mgmt-server
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-mgmt-server:latest.sarif'
category: "Container Images (hawkbit-mgmt-server)"
- name: Upload Docker image scan results to GitHub Security tab hawkbit-simple-ui
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-simple-ui:latest.sarif'
category: "Container Images (hawkbit-simple-ui)"
- name: Upload Docker image scan results to GitHub Security tab hawkbit-update-server
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-update-server:latest.sarif'
category: "Container Images (hawkbit-update-server)"
- name: Upload Docker image scan results to GitHub Security tab hawkbit-repository-jpa-init
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: 'scans/eclipse-hawkbit/hawkbit/hawkbit-repository-jpa-init:latest.sarif'
category: "Container Images (hawkbit-repository-jpa-init)"
Reference in New Issue View Git Blame Copy Permalink