besu/.github/workflows/container-security-scan.yml at ffa6ff8092335349ad4f4cb73d58988c5461b90d · besu-eth/besu · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
name: container security scan

on:
  workflow_dispatch:
    inputs:
      tag:
        description: 'Container image tag'
        required: false
        default: 'develop'
  schedule:
    # Start of the hour is the busy time. Schedule it to run 8:17am UTC
    - cron:  '17 8 * * *'

jobs:
  scan-sarif:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write

    steps:
      - name: Checkout
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

      # Shell parameter expansion does not support directly on a step
      # Adding a separate step to set the image tag. This allows running
      # this workflow with a schedule as well as manual
      - name: Set image tag
        id: tag
        run: |
          echo "TAG=${INPUT_TAG:-develop}" >> "$GITHUB_OUTPUT"
        env:
          INPUT_TAG: ${{ inputs.tag }}

      - name: Vulnerability scanner
        id: trivy
        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
        with:
          image-ref: hyperledger/besu:${{ steps.tag.outputs.TAG }}
          format: sarif
          output: 'trivy-results.sarif'

      # Check the vulnerabilities via GitHub security tab
      - name: Upload results
        uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251
        with:
          sarif_file: 'trivy-results.sarif'