yujunjun/OpenMetadata
1
0
Fork 0
mirror of https://github.com/open-metadata/OpenMetadata.git synced 2026-01-08 13:36:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
OpenMetadata/.github/workflows/trivy-scan-openmetadta-server.yml

75 lines
2.5 KiB
YAML
Raw Blame History

name: Trivy Scan For OpenMetadata Server Docker Image
on:
pull_request_target:
types: [labeled, opened, synchronize, reopened, ready_for_review]
paths:
- "**/*.java"
- "docker/development/Dockerfile"
concurrency:
group: trivy-server-scan-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
jobs:
build-and-scan:
runs-on: ubuntu-latest
if: ${{ !github.event.pull_request.draft }}
permissions:
pull-requests: write
steps:
- name: Wait for the labeler
uses: lewagon/wait-on-check-action@v1.3.4
if: ${{ github.event_name == 'pull_request_target' }}
with:
ref: ${{ github.event.pull_request.head.sha }}
check-name: Team Label
repo-token: ${{ secrets.GITHUB_TOKEN }}
wait-interval: 90
- name: Verify PR labels
uses: jesusvasquez333/verify-pr-label-action@v1.4.0
if: ${{ github.event_name == 'pull_request_target' }}
with:
github-token: '${{ secrets.GITHUB_TOKEN }}'
valid-labels: 'safe to test'
pull-request-number: '${{ github.event.pull_request.number }}'
disable-reviews: true # To not auto approve changes
- name: Checkout Repository
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Prepare for Docker Build
id: prepare
uses: ./.github/actions/prepare-for-docker-build
with:
image: openmetadata-server
tag: trivy
is_ingestion: false
- name: Build Docker Image
run: |
docker build -t openmetadata-server:trivy -f docker/development/Dockerfile .
- name: Run Trivy Image Scan
id: trivy_scan
uses: aquasecurity/trivy-action@master
with:
scan-type: "image"
image-ref: openmetadata-server:trivy
hide-progress: false
ignore-unfixed: true
severity: "HIGH,CRITICAL,MEDIUM"
scan-ref: .
format: 'template'
template: "@.github/trivy/templates/github.tpl"
output: trivy-result-openmetadata-server.md
env:
TRIVY_DISABLE_VEX_NOTICE: "true"
- name: Comment Trivy Scan Results on PR
uses: marocchino/sticky-pull-request-comment@v2
with:
path: trivy-result-openmetadata-server.md
header: "trivy-scan-${{ github.workflow }}"
Reference in New Issue View Git Blame Copy Permalink