feat: upload trivy results as artifact #26
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Continuous Integration | |
| # Run only on main and feature branches if Python files were changed | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - 'feature/**' | |
| # Deactivated for testing | |
| # paths: | |
| # - '**.py' | |
| env: | |
| PYTHON_IMAGE: 'python:3.12-slim' | |
| POETRY_VERSION: 2.1.2 | |
| jobs: | |
| test-and-check: | |
| name: Test and Check Python Code | |
| runs-on: ubuntu-latest | |
| container: python:3.12-slim # TODO: How to use a variable here? | |
| env: | |
| POETRY_HOME: '/opt/poetry' | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Setup Poetry | |
| run: | | |
| python -m venv $POETRY_HOME | |
| $POETRY_HOME/bin/pip install --no-cache-dir poetry==$POETRY_VERSION | |
| - name: Install Dependencies | |
| run: | | |
| cd $GITHUB_WORKSPACE | |
| $POETRY_HOME/bin/poetry install --no-root --no-interaction --with=dev | |
| - name: Run Pytest | |
| run: | | |
| $POETRY_HOME/bin/poetry run pytest tests/ -v | |
| - name: Run Format Check | |
| run: | | |
| $POETRY_HOME/bin/poetry run black --check src/ tests/ | |
| - name: Run Linting | |
| run: | | |
| $POETRY_HOME/bin/poetry run mypy src/ | |
| - name: Run SAST | |
| run: | | |
| $POETRY_HOME/bin/poetry run bandit src/ -r -ll # Report medium vulnerabilities or higher | |
| scan: | |
| name: Scan Docker Resources | |
| runs-on: ubuntu-latest | |
| env: | |
| PROJECT_IMAGE_NAME: tmp-image | |
| TRIVY_REPORT_DIR: /tmp/trivy_reports | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Install Trivy | |
| run: | | |
| # According to https://trivy.dev/latest/getting-started/installation/#debianubuntu-official | |
| # Hint: I'm aware that Trivy has a GitHub Action, this is just for learning purposes | |
| sudo apt-get update | |
| sudo apt-get install wget gnupg | |
| wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null | |
| echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list | |
| sudo apt-get update | |
| sudo apt-get install trivy | |
| - name: Build Project Docker Image | |
| run: | | |
| docker build -t $PROJECT_IMAGE_NAME . | |
| - name: Setup Trivy Reports Directory | |
| run: | | |
| mkdir -p $TRIVY_REPORT_DIR | |
| echo "Test" > $TRIVY_REPORT_DIR/debug.txt | |
| - name: Run Trivy Image Scan | |
| run: | | |
| trivy image --format sarif -o $TRIVY_REPORT_DIR/trivy-report-image.sarif $PROJECT_IMAGE_NAME | |
| - name: Run Trivy Dockerfile Scan | |
| run: | | |
| trivy config --format sarif -o $TRIVY_REPORT_DIR/trivy-report-dockerfile.sarif . | |
| - name: Upload Trivy Scan Results | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: trivy-reports | |
| path: $TRIVY_REPORT_DIR | |
| # TODO: Upload scan results | |
| # TODO: Fail scans in case of vulnerabilities |