mirror of https://github.com/hyperledger/besu
An enterprise-grade Java-based, Apache 2.0 licensed Ethereum client https://wiki.hyperledger.org/display/besu
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
45 lines
1.2 KiB
45 lines
1.2 KiB
5 months ago
|
name: container security scan
|
||
|
|
|
||
|
|
on:
|
||
|
|
workflow_dispatch:
|
||
|
|
inputs:
|
||
|
|
tag:
|
||
|
|
description: 'Container image tag'
|
||
|
|
required: false
|
||
|
|
default: 'develop'
|
||
|
|
schedule:
|
||
|
|
# Start of the hour is the busy time. Scheule it to run 8:17am UTC
|
||
|
|
- cron: '17 8 * * *'
|
||
|
|
|
||
|
|
jobs:
|
||
|
|
scan-sarif:
|
||
|
|
runs-on: ubuntu-latest
|
||
|
|
|
||
|
|
steps:
|
||
|
|
- name: Checkout
|
||
|
|
uses: actions/checkout@v4
|
||
|
|
|
||
|
|
# Shell parameter expansion does not support directly on a step
|
||
|
|
# Adding a separate step to set the image tag. This allows running
|
||
|
|
# this workflow with a schedule as well as manual
|
||
|
|
- name: Set image tag
|
||
|
|
id: tag
|
||
|
|
run: |
|
||
|
|
echo "TAG=${INPUT_TAG:-develop}" >> "$GITHUB_OUTPUT"
|
||
|
|
env:
|
||
|
|
INPUT_TAG: ${{ inputs.tag }}
|
||
|
|
|
||
|
|
- name: Vulnerability scanner
|
||
|
|
id: trivy
|
||
|
|
uses: aquasecurity/trivy-action@0.22.0
|
||
|
|
with:
|
||
|
|
image-ref: hyperledger/besu:${{ steps.tag.outputs.TAG }}
|
||
|
|
format: sarif
|
||
|
|
output: 'trivy-results.sarif'
|
||
|
|
|
||
|
|
# Check the vulnerabilities via GitHub security tab
|
||
|
|
- name: Upload results
|
||
|
|
uses: github/codeql-action/upload-sarif@v3
|
||
|
|
with:
|
||
|
|
sarif_file: 'trivy-results.sarif'
|