Add CVE test on CI (#129)

* Add CVE test on CI * Update * Update
2025-07-18 13:42:02 +08:00 · 2022-06-30 17:14:07 +08:00 · 2022-06-30 17:14:07 +08:00 · 3dd1bae938
commit 3dd1bae938
parent 49b20236e9
1 changed files with 49 additions and 0 deletions
--- a/.github/workflows/CI.yaml
+++ b/.github/workflows/CI.yaml
@ -35,3 +35,52 @@ jobs:
        with:
          files: ./coverage.txt
          verbose: true
+
+  image-test:
+    name: Check for image build and CVE
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          submodules: true
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Cache Docker layers
+        uses: actions/cache@v2
+        with:
+          path: /tmp/.buildx-cache
+          key: ${{ runner.os }}-buildx-${{ github.sha }}
+          restore-keys: |
+            ${{ runner.os }}-buildx-
+
+      - name: Lower case for ghcr
+        id: ghcr_string
+        uses: ASzc/change-string-case-action@v1
+        with:
+          string: ${{ github.event.repository.full_name }}
+
+      - name: Build and load image
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          load: true
+          tags: |
+            ghcr.io/${{ steps.ghcr_string.outputs.lowercase }}
+
+          cache-from: type=local,src=/tmp/.buildx-cache
+          cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
+
+      - name: Scan for possible CVEs
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ghcr.io/${{ steps.ghcr_string.outputs.lowercase }}
+          format: 'table'
+          exit-code: '1'
+          severity: 'CRITICAL,HIGH'
+          ignore-unfixed: true