nessi
d17752b611
Some checks failed
Container CVE Scan (development) / Scan backend/frontend images for CVEs (push) Failing after 2m20s
PostgreSQL Compatibility Matrix / PG14 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG15 smoke (push) Successful in 7s
PostgreSQL Compatibility Matrix / PG16 smoke (push) Successful in 7s
PostgreSQL Compatibility Matrix / PG17 smoke (push) Successful in 7s
PostgreSQL Compatibility Matrix / PG18 smoke (push) Successful in 7s
This commit introduces a GitHub Actions workflow to scan for CVEs in backend and frontend container images. It uses Trivy for scanning and uploads the reports as artifacts, providing better visibility into vulnerabilities in development builds.
79 lines
2.0 KiB
YAML
79 lines
2.0 KiB
YAML
name: Container CVE Scan (development)
|
|
|
|
on:
|
|
push:
|
|
branches: ["development"]
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
cve-scan:
|
|
name: Scan backend/frontend images for CVEs
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Build backend image (local)
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: ./backend
|
|
file: ./backend/Dockerfile
|
|
push: false
|
|
load: true
|
|
tags: nexapg-backend:dev-scan
|
|
provenance: false
|
|
sbom: false
|
|
|
|
- name: Build frontend image (local)
|
|
uses: docker/build-push-action@v6
|
|
with:
|
|
context: ./frontend
|
|
file: ./frontend/Dockerfile
|
|
push: false
|
|
load: true
|
|
tags: nexapg-frontend:dev-scan
|
|
build-args: |
|
|
VITE_API_URL=/api/v1
|
|
provenance: false
|
|
sbom: false
|
|
|
|
- name: Trivy scan (backend)
|
|
uses: aquasecurity/trivy-action@0.24.0
|
|
with:
|
|
image-ref: nexapg-backend:dev-scan
|
|
format: table
|
|
output: trivy-backend.txt
|
|
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
|
|
ignore-unfixed: false
|
|
exit-code: 0
|
|
|
|
- name: Trivy scan (frontend)
|
|
uses: aquasecurity/trivy-action@0.24.0
|
|
with:
|
|
image-ref: nexapg-frontend:dev-scan
|
|
format: table
|
|
output: trivy-frontend.txt
|
|
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
|
|
ignore-unfixed: false
|
|
exit-code: 0
|
|
|
|
- name: Print scan summary
|
|
run: |
|
|
echo "===== Backend CVE Scan ====="
|
|
cat trivy-backend.txt
|
|
echo
|
|
echo "===== Frontend CVE Scan ====="
|
|
cat trivy-frontend.txt
|
|
|
|
- name: Upload scan reports
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: container-cve-scan-reports
|
|
path: |
|
|
trivy-backend.txt
|
|
trivy-frontend.txt
|