ci: add trivy image vulnerabilities scan workflow (#3287)

* ci: add trivy image scan workflow Signed-off-by: Shahar Harari <shahar.harari@sap.com> * fix lint errors Signed-off-by: Shahar Harari <shahar.harari@sap.com> --------- Signed-off-by: Shahar Harari <shahar.harari@sap.com>
envoyproxy · Apr 27, 2024 · f8ede24 · f8ede24
1 parent 3f8d05b
commit f8ede24
Showing 1 changed file with 31 additions and 0 deletions.
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -0,0 +1,31 @@
+name: trivy
+
+on:
+  push:
+    branches:
+    - "main"
+  schedule:
+  - cron: '55 17 * * 5'
+
+permissions:
+  contents: read
+
+jobs:
+  image-scan:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+    name: Image Scan
+    runs-on: ubuntu-22.04
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f  # v4.1.3
+
+    - name: Build an image from Dockerfile
+      run: |
+        IMAGE=envoy-proxy/gateway-dev TAG=${{ github.sha }} make image
+
+    - name: Run Trivy vulnerability scanner
+      uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55  # v0.19.0
+      with:
+        image-ref: envoy-proxy/gateway-dev:${{ github.sha }}
+        exit-code: '1'