From 7a0a65c534bd194993ccdd2d4f83f25bcfd2e436 Mon Sep 17 00:00:00 2001 From: Maurice Atrops Date: Sat, 3 May 2025 16:54:48 +0200 Subject: [PATCH 01/19] feat: add trivy installation --- .github/workflows/ci-pipeline.yaml | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index 1835e32..543e13a 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -51,9 +51,24 @@ jobs: run: | $POETRY_HOME/bin/poetry run bandit src/ -r -ll # Report medium vulnerabilities or higher - another-job: - name: I will eventually be a useful job + scan: + name: Scan Docker Image runs-on: ubuntu-latest - needs: test-and-check steps: - - run: echo "The unit tests were successful!" \ No newline at end of file + # Build project container image + # Scan Image with Trivy + - name: Install Trivy + run: | + # According to https://trivy.dev/latest/getting-started/installation/#debianubuntu-official + # Hint: I'm aware that Trivy has a GitHub Action, this is just for learning purposes + apt-get update + apt-get install wget gnupg -y + wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | tee /usr/share/keyrings/trivy.gpg > /dev/null + echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | tee -a /etc/apt/sources.list.d/trivy.list + apt-get update + apt-get install trivy + + - name: Verify Installations + run: | + trivy --version + docker --version \ No newline at end of file From 3f202949c62802c9d6850e6c98cf6ead7a250265 Mon Sep 17 00:00:00 2001 From: Maurice Atrops Date: Sat, 3 May 2025 16:55:59 +0200 Subject: [PATCH 02/19] fix: add sudo --- .github/workflows/ci-pipeline.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index 543e13a..d8df112 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -61,12 +61,12 @@ jobs: run: | # According to https://trivy.dev/latest/getting-started/installation/#debianubuntu-official # Hint: I'm aware that Trivy has a GitHub Action, this is just for learning purposes - apt-get update - apt-get install wget gnupg -y - wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | tee /usr/share/keyrings/trivy.gpg > /dev/null - echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | tee -a /etc/apt/sources.list.d/trivy.list - apt-get update - apt-get install trivy + sudo apt-get update + sudo apt-get install wget gnupg + wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null + echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list + sudo apt-get update + sudo apt-get install trivy - name: Verify Installations run: | From 861288ded163a942bb998d090178867a634e8faa Mon Sep 17 00:00:00 2001 From: Maurice Atrops Date: Sat, 3 May 2025 17:03:39 +0200 Subject: [PATCH 03/19] feat: add trivy scan --- .github/workflows/ci-pipeline.yaml | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index d8df112..8cb251b 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -22,7 +22,7 @@ jobs: env: POETRY_HOME: '/opt/poetry' steps: - - name: Checkout repository + - name: Checkout Repository uses: actions/checkout@v4 - name: Setup Poetry @@ -54,6 +54,8 @@ jobs: scan: name: Scan Docker Image runs-on: ubuntu-latest + env: + PROJECT_IMAGE_NAME: tmp-image steps: # Build project container image # Scan Image with Trivy @@ -68,7 +70,15 @@ jobs: sudo apt-get update sudo apt-get install trivy - - name: Verify Installations + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Build Project Docker Image + run: | + cd $GITHUB_WORKSPACE + docker build -t $PROJECT_IMAGE_NAME . + + - name: Run Trivy Scan run: | - trivy --version - docker --version \ No newline at end of file + trivy image $PROJECT_IMAGE_NAME + \ No newline at end of file From c5a785c065878d3e087ff83f167a1e1df89b143f Mon Sep 17 00:00:00 2001 From: Maurice Atrops Date: Sat, 3 May 2025 17:10:50 +0200 Subject: [PATCH 04/19] feat: add trivy dockerfile scan --- .github/workflows/ci-pipeline.yaml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index 8cb251b..da8d3ec 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -52,13 +52,14 @@ jobs: $POETRY_HOME/bin/poetry run bandit src/ -r -ll # Report medium vulnerabilities or higher scan: - name: Scan Docker Image + name: Scan Docker Resources runs-on: ubuntu-latest env: PROJECT_IMAGE_NAME: tmp-image steps: - # Build project container image - # Scan Image with Trivy + - name: Checkout Repository + uses: actions/checkout@v4 + - name: Install Trivy run: | # According to https://trivy.dev/latest/getting-started/installation/#debianubuntu-official @@ -70,15 +71,15 @@ jobs: sudo apt-get update sudo apt-get install trivy - - name: Checkout Repository - uses: actions/checkout@v4 - - name: Build Project Docker Image run: | - cd $GITHUB_WORKSPACE docker build -t $PROJECT_IMAGE_NAME . - - name: Run Trivy Scan + - name: Run Trivy Image Scan + run: | + trivy image --format sarif -o trivy-report-image.sarif $PROJECT_IMAGE_NAME + + - name: Run Trivy Dockerfile Scan run: | - trivy image $PROJECT_IMAGE_NAME + trivy config --format sarif -o trivy-report-dockerfile.sarif . \ No newline at end of file From 2a2f4bb1a02dc8416ed9993bc35e86a2fe3163a7 Mon Sep 17 00:00:00 2001 From: Maurice Atrops Date: Sat, 3 May 2025 20:32:24 +0200 Subject: [PATCH 05/19] feat: upload trivy results as artifact --- .github/workflows/ci-pipeline.yaml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index da8d3ec..d156f4b 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -56,6 +56,7 @@ jobs: runs-on: ubuntu-latest env: PROJECT_IMAGE_NAME: tmp-image + TRIVY_REPORT_DIR: /tmp/trivy_reports steps: - name: Checkout Repository uses: actions/checkout@v4 @@ -77,9 +78,17 @@ jobs: - name: Run Trivy Image Scan run: | - trivy image --format sarif -o trivy-report-image.sarif $PROJECT_IMAGE_NAME + trivy image --format sarif -o $TRIVY_REPORT_DIR/trivy-report-image.sarif $PROJECT_IMAGE_NAME - name: Run Trivy Dockerfile Scan run: | - trivy config --format sarif -o trivy-report-dockerfile.sarif . - \ No newline at end of file + trivy config --format sarif -o $TRIVY_REPORT_DIR/trivy-report-dockerfile.sarif . + + - name: Upload Trivy Scan Results + uses: actions/upload-artifact@v4 + with: + name: trivy-reports + path: $TRIVY_REPORT_DIR + + # TODO: Upload scan results + # TODO: Fail scans in case of vulnerabilities \ No newline at end of file From 3b43cc6161f18427ccd635a812eec58fbede118d Mon Sep 17 00:00:00 2001 From: Maurice Atrops Date: Sat, 3 May 2025 20:34:31 +0200 Subject: [PATCH 06/19] feat: upload trivy results as artifact --- .github/workflows/ci-pipeline.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index d156f4b..5f43a64 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -76,6 +76,10 @@ jobs: run: | docker build -t $PROJECT_IMAGE_NAME . + - name: Setup Trivy Reports Directory + run: | + mkdir -p $TRIVY_REPORT_DIR + - name: Run Trivy Image Scan run: | trivy image --format sarif -o $TRIVY_REPORT_DIR/trivy-report-image.sarif $PROJECT_IMAGE_NAME From 8e850e44826394a2bef36c6ec86b008bc970f35e Mon Sep 17 00:00:00 2001 From: Maurice Atrops Date: Sat, 3 May 2025 20:40:30 +0200 Subject: [PATCH 07/19] feat: upload trivy results as artifact --- .github/workflows/ci-pipeline.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index 5f43a64..df8f144 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -79,6 +79,7 @@ jobs: - name: Setup Trivy Reports Directory run: | mkdir -p $TRIVY_REPORT_DIR + echo "Test" > $TRIVY_REPORT_DIR/debug.txt - name: Run Trivy Image Scan run: | From 4d0460ffb4dcb53f057fa0087a22fb8dc92365ca Mon Sep 17 00:00:00 2001 From: Maurice Atrops Date: Sat, 3 May 2025 20:42:34 +0200 Subject: [PATCH 08/19] feat: upload trivy results as artifact --- .github/workflows/ci-pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index df8f144..7fa9b69 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -93,7 +93,7 @@ jobs: uses: actions/upload-artifact@v4 with: name: trivy-reports - path: $TRIVY_REPORT_DIR + path: $TRIVY_REPORT_DIR/** # TODO: Upload scan results # TODO: Fail scans in case of vulnerabilities \ No newline at end of file From 865626f319487fb35c0f3a027cbe2794ae043dbf Mon Sep 17 00:00:00 2001 From: Maurice Atrops Date: Sat, 3 May 2025 20:45:08 +0200 Subject: [PATCH 09/19] feat: upload trivy results as artifact --- .github/workflows/ci-pipeline.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index 7fa9b69..4f41ecc 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -94,6 +94,10 @@ jobs: with: name: trivy-reports path: $TRIVY_REPORT_DIR/** + + - name: Inspect Trivy Report Dir + run: | + ls -lisa $TRIVY_REPORT_DIR # TODO: Upload scan results # TODO: Fail scans in case of vulnerabilities \ No newline at end of file From 45b0191b9dddeb5832fe3c02175ac92763adade2 Mon Sep 17 00:00:00 2001 From: Maurice Atrops Date: Sat, 3 May 2025 20:48:15 +0200 Subject: [PATCH 10/19] feat: upload trivy results as artifact --- .github/workflows/ci-pipeline.yaml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index 4f41ecc..bd8c571 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -85,6 +85,14 @@ jobs: run: | trivy image --format sarif -o $TRIVY_REPORT_DIR/trivy-report-image.sarif $PROJECT_IMAGE_NAME + # - name: Upload Trivy Image Scan Result + # uses: github/codeql-action/upload-sarif@v3 + # with: + # sarif_file: results.sarif + # # Optional category for the results + # # Used to differentiate multiple results for one commit + # category: my-analysis-tool + - name: Run Trivy Dockerfile Scan run: | trivy config --format sarif -o $TRIVY_REPORT_DIR/trivy-report-dockerfile.sarif . @@ -93,7 +101,7 @@ jobs: uses: actions/upload-artifact@v4 with: name: trivy-reports - path: $TRIVY_REPORT_DIR/** + path: ${{ env.TRIVY_REPORT_DIR }} - name: Inspect Trivy Report Dir run: | From 71002189c76c96b971da5cc60222d65a40a982ff Mon Sep 17 00:00:00 2001 From: Maurice Atrops Date: Sat, 3 May 2025 20:53:40 +0200 Subject: [PATCH 11/19] feat: upload trivy results as artifact --- .github/workflows/ci-pipeline.yaml | 28 +++++++++++----------------- 1 file changed, 11 insertions(+), 17 deletions(-) diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index bd8c571..2adc80e 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -83,29 +83,23 @@ jobs: - name: Run Trivy Image Scan run: | - trivy image --format sarif -o $TRIVY_REPORT_DIR/trivy-report-image.sarif $PROJECT_IMAGE_NAME + trivy image --format sarif -o trivy-image-report.sarif $PROJECT_IMAGE_NAME - # - name: Upload Trivy Image Scan Result - # uses: github/codeql-action/upload-sarif@v3 - # with: - # sarif_file: results.sarif - # # Optional category for the results - # # Used to differentiate multiple results for one commit - # category: my-analysis-tool + - name: Upload Trivy Image Scan Result + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: trivy-image-report.sarif + category: trivy-image-report - name: Run Trivy Dockerfile Scan run: | - trivy config --format sarif -o $TRIVY_REPORT_DIR/trivy-report-dockerfile.sarif . + trivy config --format sarif -o trivy-dockerfile-report.sarif . - - name: Upload Trivy Scan Results - uses: actions/upload-artifact@v4 + - name: Upload Trivy Config Scan Result + uses: github/codeql-action/upload-sarif@v3 with: - name: trivy-reports - path: ${{ env.TRIVY_REPORT_DIR }} - - - name: Inspect Trivy Report Dir - run: | - ls -lisa $TRIVY_REPORT_DIR + sarif_file: trivy-config-report.sarif + category: trivy-config-report # TODO: Upload scan results # TODO: Fail scans in case of vulnerabilities \ No newline at end of file From c7ca1fb0cbc6163913f6c0ab90d657adcf14307c Mon Sep 17 00:00:00 2001 From: Maurice Atrops Date: Sat, 3 May 2025 20:56:51 +0200 Subject: [PATCH 12/19] feat: upload trivy results as artifact --- .github/workflows/ci-pipeline.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index 2adc80e..c7b4ad2 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -54,6 +54,10 @@ jobs: scan: name: Scan Docker Resources runs-on: ubuntu-latest + permissions: + security-events: write + actions: read + contents: read env: PROJECT_IMAGE_NAME: tmp-image TRIVY_REPORT_DIR: /tmp/trivy_reports From 06a6eb65606f0a4faf964c539dbe90cba6e5cf6b Mon Sep 17 00:00:00 2001 From: Maurice Atrops Date: Sat, 3 May 2025 20:58:54 +0200 Subject: [PATCH 13/19] feat: upload trivy results as artifact --- .github/workflows/ci-pipeline.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index c7b4ad2..9b5eb6a 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -102,8 +102,8 @@ jobs: - name: Upload Trivy Config Scan Result uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: trivy-config-report.sarif - category: trivy-config-report + sarif_file: trivy-dockerfile-report.sarif + category: trivy-dockerfile-report # TODO: Upload scan results # TODO: Fail scans in case of vulnerabilities \ No newline at end of file From 8b51ba3f5facb45f062d987513c11ada74d24102 Mon Sep 17 00:00:00 2001 From: Maurice Atrops Date: Sat, 3 May 2025 21:11:25 +0200 Subject: [PATCH 14/19] debug: provoke trivy report --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index a71fa6b..aafec7e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,7 +12,7 @@ ARG INSTALLER_PATH=/build ARG INSTALLER_VENV_PATH=${INSTALLER_PATH}/.venv -FROM python:3.12-slim AS base +FROM python AS base # This is the first stage where we handle the installation process of necessary python dependencies FROM base AS installer From 15b462cf7df5a953dfb72593d5c6823075b00f57 Mon Sep 17 00:00:00 2001 From: Maurice Atrops Date: Sat, 3 May 2025 21:15:30 +0200 Subject: [PATCH 15/19] debug: provoke trivy report --- .github/workflows/ci-pipeline.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index 9b5eb6a..10c5994 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -104,6 +104,12 @@ jobs: with: sarif_file: trivy-dockerfile-report.sarif category: trivy-dockerfile-report + + - name: Upload results + uses: actions/upload-artifact@v4 + with: + name: trivy-reports + path: *.sarif # TODO: Upload scan results # TODO: Fail scans in case of vulnerabilities \ No newline at end of file From 82affc3340e155a80f39faa97a64c886e5bad790 Mon Sep 17 00:00:00 2001 From: Maurice Atrops Date: Sat, 3 May 2025 21:16:20 +0200 Subject: [PATCH 16/19] debug: provoke trivy report --- .github/workflows/ci-pipeline.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index 10c5994..9b89cbc 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -109,7 +109,7 @@ jobs: uses: actions/upload-artifact@v4 with: name: trivy-reports - path: *.sarif + path: ./*.sarif # TODO: Upload scan results # TODO: Fail scans in case of vulnerabilities \ No newline at end of file From 183620418b4046621c8b6024148ddbfcbe1d19b2 Mon Sep 17 00:00:00 2001 From: Maurice Atrops Date: Sat, 3 May 2025 21:23:07 +0200 Subject: [PATCH 17/19] fix: set severity for trivy --- .github/workflows/ci-pipeline.yaml | 10 ++-------- Dockerfile | 2 +- 2 files changed, 3 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index 9b89cbc..a26054b 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -87,7 +87,7 @@ jobs: - name: Run Trivy Image Scan run: | - trivy image --format sarif -o trivy-image-report.sarif $PROJECT_IMAGE_NAME + trivy image --severity HIGH,CRITICAL --format sarif -o trivy-image-report.sarif $PROJECT_IMAGE_NAME - name: Upload Trivy Image Scan Result uses: github/codeql-action/upload-sarif@v3 @@ -97,7 +97,7 @@ jobs: - name: Run Trivy Dockerfile Scan run: | - trivy config --format sarif -o trivy-dockerfile-report.sarif . + trivy config --severity HIGH,CRITICAL --format sarif -o trivy-dockerfile-report.sarif . - name: Upload Trivy Config Scan Result uses: github/codeql-action/upload-sarif@v3 @@ -105,11 +105,5 @@ jobs: sarif_file: trivy-dockerfile-report.sarif category: trivy-dockerfile-report - - name: Upload results - uses: actions/upload-artifact@v4 - with: - name: trivy-reports - path: ./*.sarif - # TODO: Upload scan results # TODO: Fail scans in case of vulnerabilities \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index aafec7e..a71fa6b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,7 +12,7 @@ ARG INSTALLER_PATH=/build ARG INSTALLER_VENV_PATH=${INSTALLER_PATH}/.venv -FROM python AS base +FROM python:3.12-slim AS base # This is the first stage where we handle the installation process of necessary python dependencies FROM base AS installer From c7cd515a2b7ea98c02f067c0520b0908efa6b774 Mon Sep 17 00:00:00 2001 From: Maurice Atrops Date: Sat, 3 May 2025 21:27:33 +0200 Subject: [PATCH 18/19] docs: remove clutter --- .github/workflows/ci-pipeline.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index a26054b..0c8168c 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -50,6 +50,7 @@ jobs: - name: Run SAST run: | $POETRY_HOME/bin/poetry run bandit src/ -r -ll # Report medium vulnerabilities or higher + # TODO (matrops): One could invest more effort here to generate SARIF files and integrate them in GitHub Security Monitoring scan: name: Scan Docker Resources @@ -104,6 +105,4 @@ jobs: with: sarif_file: trivy-dockerfile-report.sarif category: trivy-dockerfile-report - - # TODO: Upload scan results - # TODO: Fail scans in case of vulnerabilities \ No newline at end of file + \ No newline at end of file From 50ab08e5f5a6bc9aa44f2477b37d2c10f8e0d35d Mon Sep 17 00:00:00 2001 From: Maurice Atrops Date: Sat, 3 May 2025 21:30:08 +0200 Subject: [PATCH 19/19] docs: add explanations --- .github/workflows/ci-pipeline.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci-pipeline.yaml b/.github/workflows/ci-pipeline.yaml index 0c8168c..71ec0e9 100644 --- a/.github/workflows/ci-pipeline.yaml +++ b/.github/workflows/ci-pipeline.yaml @@ -6,9 +6,9 @@ on: branches: - main - 'feature/**' - # Deactivated for testing - # paths: - # - '**.py' + pull_request: + branches: + - main env: PYTHON_IMAGE: 'python:3.12-slim' @@ -56,6 +56,7 @@ jobs: name: Scan Docker Resources runs-on: ubuntu-latest permissions: + # Needed for SARIF upload security-events: write actions: read contents: read