feat: add trivyy docker image scanning

rutkowski-tomasz · May 29, 2024 · 101f36b · 101f36b
1 parent d608ada
commit 101f36b
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 9 deletions.
diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml
@@ -23,7 +23,11 @@ on:
       libcod_commit:
         type: string
         description: 'Commit hash of libcod to use'
-        required: true
+        default: "5f04a7f4e60d910945f13a786d15081843b72baf"
+      version:
+        type: string
+        description: 'Version of the image'
+        default: '3.12'
 
 jobs:
   build:
@@ -86,6 +90,18 @@ jobs:
           cache-from: type=local,src=/tmp/.buildx-cache
           cache-to: type=local,dest=/tmp/.buildx-cache-new
 
+      - name: Install Trivy
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y apt-transport-https ca-certificates
+          curl -fsSL https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
+          echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
+          sudo apt-get update
+          sudo apt-get install -y trivy
+
+      - name: Trivy vulnerability scanner
+        run: trivy image --exit-code 1 --no-progress --severity HIGH,CRITICAL ${{ env.DOCKER_TAG }}
+
       - name: Move Docker cache
         run: |
           rm -rf /tmp/.buildx-cache

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -12,5 +12,4 @@ jobs:
       enable_speex: 1
       enable_unsafe: 1
       enable_push: false
-      libcod_commit: "5f04a7f4e60d910945f13a786d15081843b72baf"
     secrets: inherit
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -21,5 +21,4 @@ jobs:
       enable_speex: ${{ matrix.enable_speex }}
       enable_unsafe: ${{ matrix.enable_unsafe }}
       enable_push: true
-      libcod_commit: "5f04a7f4e60d910945f13a786d15081843b72baf"
     secrets: inherit
diff --git a/README.md b/README.md
@@ -83,8 +83,4 @@ To build locally you can use command `podman build --format=docker --build-arg c
 
 # 📦 New version
 
-1. Update [source commit](https://github.com/rutkowski-tomasz/cod2-docker/blob/master/Dockerfile#L59) 
-2. Update [version](https://github.com/rutkowski-tomasz/cod2-docker/blob/master/__version__#L1) (It should match zk_libcod [release version](https://github.com/ibuddieat/zk_libcod/releases))
-3. `git commit`
-4. `git tag <same-as-pt2>`
-5. `git push --tags`
+Update [libcod_commit and version](https://github.com/rutkowski-tomasz/cod2-docker/blob/master/.github/workflows/build-push.yml#L23) 
diff --git a/__version__ b/__version__