trivy-scan.yml

name: "Trivy Scan"

on:
  pull_request:
    branches: [ master ]

permissions:
  contents: read

env:
  IMAGE_REPO: openyurt

jobs:
  images:
    name: Image Scan
    runs-on: ubuntu-22.04
    strategy:
      matrix:
        target: [ yurthub,  node-servant, yurt-manager, yurt-iot-dock ]
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Build image
        run: |
          tag=$(git describe --abbrev=0 --tags)
          commit=$(git rev-parse HEAD)
          if $(git tag --points-at ${commit}); then
            echo "git_tag=`echo ${tag}-$(echo ${commit} | cut -c 1-7)`" >> $GITHUB_ENV
          else
            echo "git_tag=`echo ${tag}`" >> $GITHUB_ENV
          fi
          make docker-build

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: '${{ env.IMAGE_REPO }}/${{ matrix.target }}:${{ env.git_tag }}'
          format: 'sarif'
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results to GitHub Security
        uses: github/codeql-action/upload-sarif@v2
        if: always()
        with:
          sarif_file: 'trivy-results.sarif'