Skip to content

fix: update maven dependencies to latest versions to mitigate vulnera… #136

fix: update maven dependencies to latest versions to mitigate vulnera…

fix: update maven dependencies to latest versions to mitigate vulnera… #136

# This workflow is used to build & scan image using trivy vulnerability scanner and upload the results to github security tab
name: Build & Vulnerability Scan using Trivy Scanner
on:
push:
branches: [ master, release/*]
pull_request:
# The branches below must be a subset of the branches above
branches: [ master, release/*]
jobs:
build-scan-image:
name: Build & Scan Image
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
# Set up JDK build environment
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
# Runs build steps
- name: Maven Package
run: mvn -ntp -DskipTests -Popenshift clean package
- name: Build an image from Dockerfile
env:
COMPOSE_DOCKER_CLI_BUILD: 1
DOCKER_BUILDKIT: 1
CONTEXT: .
run: |
docker build -t bc-paris-api:${{ github.sha }} ${CONTEXT}
#Run Vulnerability Scan usinig Trivy scanner
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: 'bc-paris-api:${{ github.sha }}'
format: 'sarif'
output: 'trivy-results.sarif'
exit-code: '1'
ignore-unfixed: true
severity: 'HIGH,CRITICAL'
scan-ref: '.'
vuln-type: 'os,library'
list-all-pkgs: false
#Upload results to the Github security tab.
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'