From 3dd1bae938cf684b944cf8544a16796f00d2d472 Mon Sep 17 00:00:00 2001 From: Nova Kwok Date: Thu, 30 Jun 2022 17:14:07 +0800 Subject: [PATCH] Add CVE test on CI (#129) * Add CVE test on CI * Update * Update --- .github/workflows/CI.yaml | 49 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) diff --git a/.github/workflows/CI.yaml b/.github/workflows/CI.yaml index 43014f3..aca4ded 100644 --- a/.github/workflows/CI.yaml +++ b/.github/workflows/CI.yaml @@ -35,3 +35,52 @@ jobs: with: files: ./coverage.txt verbose: true + + image-test: + name: Check for image build and CVE + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + submodules: true + + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + + - name: Cache Docker layers + uses: actions/cache@v2 + with: + path: /tmp/.buildx-cache + key: ${{ runner.os }}-buildx-${{ github.sha }} + restore-keys: | + ${{ runner.os }}-buildx- + + - name: Lower case for ghcr + id: ghcr_string + uses: ASzc/change-string-case-action@v1 + with: + string: ${{ github.event.repository.full_name }} + + - name: Build and load image + uses: docker/build-push-action@v2 + with: + context: . + load: true + tags: | + ghcr.io/${{ steps.ghcr_string.outputs.lowercase }} + + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max + + - name: Scan for possible CVEs + uses: aquasecurity/trivy-action@master + with: + image-ref: ghcr.io/${{ steps.ghcr_string.outputs.lowercase }} + format: 'table' + exit-code: '1' + severity: 'CRITICAL,HIGH' + ignore-unfixed: true \ No newline at end of file