This repository has been archived by the owner on Feb 14, 2025. It is now read-only.
Security checks for sigopt/sigopt-server@refs/heads/main #2710
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: security checks | |
| permissions: read-all | |
| run-name: Security checks for ${{ github.repository }}@${{ github.ref }} | |
| on: | |
| push: {} | |
| schedule: | |
| - cron: "0 8,16 * * *" | |
| jobs: | |
| trivy-scan-fs: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out repository code | |
| uses: actions/checkout@v4 | |
| - name: Run Trivy | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: fs | |
| scan-ref: . | |
| trivy-config: trivy.yaml | |
| trivy-scan-nginx: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out repository code | |
| uses: actions/checkout@v4 | |
| - run: | | |
| source .env | |
| docker build . --tag=sigopt/nginx:scan --file=docker/images/nginx/Dockerfile \ | |
| --build-arg=NGINX_VERSION="$NGINX_VERSION" | |
| - name: Trivy scan nginx HIGH, CRITICAL | |
| if: always() | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: sigopt/nginx:scan | |
| ignore-unfixed: false | |
| severity: HIGH,CRITICAL | |
| exit-code: "1" | |
| - name: Trivy scan nginx fixable | |
| if: always() | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: sigopt/nginx:scan | |
| ignore-unfixed: true | |
| severity: LOW,MEDIUM,UNKNOWN | |
| exit-code: "1" | |
| trivy-scan-web: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out repository code | |
| uses: actions/checkout@v4 | |
| - run: make submodules | |
| - run: | | |
| source .env | |
| docker build . --tag=sigopt/web:scan --file=docker/images/web/Dockerfile \ | |
| --build-arg=NODE_MAJOR="$NODE_MAJOR" | |
| - name: Trivy scan web HIGH, CRITICAL | |
| if: always() | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: sigopt/web:scan | |
| ignore-unfixed: false | |
| severity: HIGH,CRITICAL | |
| exit-code: "1" | |
| - name: Trivy scan web fixable | |
| if: always() | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: sigopt/web:scan | |
| ignore-unfixed: true | |
| severity: LOW,MEDIUM,UNKNOWN | |
| exit-code: "1" | |
| trivy-scan-zigopt: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out repository code | |
| uses: actions/checkout@v4 | |
| - run: | | |
| source .env | |
| docker build . --tag=sigopt/zigopt:scan --file=docker/images/zigopt/Dockerfile \ | |
| --build-arg=PROTOBUF_VERSION="$PROTOBUF_VERSION" \ | |
| --build-arg=PYTHON_MAJOR="$PYTHON_MAJOR" \ | |
| --build-arg=PYTHON_MINOR="$PYTHON_MINOR" | |
| - name: Trivy scan zigopt HIGH, CRITICAL | |
| if: always() | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: sigopt/zigopt:scan | |
| ignore-unfixed: false | |
| severity: HIGH,CRITICAL | |
| exit-code: "1" | |
| - name: Trivy scan zigopt fixable | |
| if: always() | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: sigopt/zigopt:scan | |
| ignore-unfixed: true | |
| severity: LOW,MEDIUM,UNKNOWN | |
| exit-code: "1" |