EK-34: Add list of drawing objects #1995
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'Trivy Security Scan' | |
| on: # use pull request so this workflow dos not fail when triggered by dependabot PR's | |
| pull_request: | |
| schedule: | |
| - cron: '17 23 * * MON' | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ ( github.ref == 'refs/heads/main' || github.ref == 'refs/heads/release' ) && format('ci-main-{0}', github.sha) || format('ci-main-{0}', github.ref) }} | |
| cancel-in-progress: true | |
| jobs: | |
| build: | |
| name: 'Trivy Scan' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - uses: 'actions/checkout@v4' | |
| - name: 'Build images' | |
| run: | | |
| docker buildx build --pull --build-arg VERSION=snapshot --build-arg BASE_HREF=/ -t ghcr.io/tailormap/tailormap:snapshot . --load | |
| - name: Trivy Cache | |
| uses: yogeshlonkar/[email protected] | |
| with: | |
| gh-token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: 'Run Trivy vulnerability scanner on tailormap' | |
| uses: 'aquasecurity/[email protected]' | |
| # docker run --rm -v trivy_cache:/root/.cache/ aquasec/trivy image ghcr.io/tailormap/tailormap:snapshot | |
| with: | |
| image-ref: 'ghcr.io/tailormap/tailormap:snapshot' | |
| format: 'sarif' | |
| output: 'tailormap-trivy-results.sarif' | |
| severity: 'HIGH,CRITICAL' | |
| cache-dir: .trivy | |
| - name: 'Upload tailormap-viewer Trivy scan results to GitHub Security tab' | |
| uses: 'github/codeql-action/upload-sarif@v3' | |
| if: always() | |
| with: | |
| sarif_file: 'tailormap-trivy-results.sarif' | |
| category: 'tailormap' |