Add Trivy workflow (#340)

waybackarchiver · web-flow · commit fa38c1b7ddb9 · 2023-03-15T02:02:25.000Z
* Update changelog.md
* Use vars instead of secrets
diff --git a/.github/workflows/analysis.yml b/.github/workflows/analysis.yml
@@ -74,3 +74,14 @@ jobs:
   dependency-review:
     name: Dependency Review
     uses: wabarc/.github/.github/workflows/reusable-dependency-review.yml@main
+
+  trivy:
+    name: Trivy
+    uses: wabarc/.github/.github/workflows/reusable-trivy.yml@main
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      #actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    with:
+      scan-type: 'fs'
+      sarif: 'filesystem.sarif'
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -38,6 +38,9 @@ jobs:
     permissions:
       packages: write
       id-token: write
+    outputs:
+      image: ${{ steps.prep.outputs.ghcr }}
+      version: ${{ steps.meta.outputs.version }}
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 # v1.5.0
@@ -101,7 +104,7 @@ jobs:
         if: github.event_name != 'pull_request'
         uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
         with:
-          username: ${{ secrets.DOCKER_USERNAME }}
+          username: ${{ vars.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_PASSWORD }}
 
       - name: Login to GitHub Container Registry
@@ -182,6 +185,9 @@ jobs:
     permissions:
       packages: write
       id-token: write
+    outputs:
+      image: ${{ steps.prep.outputs.ghcr }}
+      version: ${{ steps.meta.outputs.version }}
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 # v1.5.0
@@ -308,3 +314,29 @@ jobs:
           IMAGE_NAME=${{ steps.prep.outputs.ghcr }}:${{ steps.meta.outputs.version }}
           cat cosign.pub
           cosign verify --key cosign.pub $IMAGE_NAME
+
+  trivy-standalone:
+    name: Trivy for standalone
+    uses: wabarc/.github/.github/workflows/reusable-trivy.yml@main
+    needs: publish
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      #actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    with:
+      scan-type: 'image'
+      image-ref: '${{ needs.publish.outputs.image }}:${{ needs.publish.outputs.version }}'
+      sarif: 'container-standalone.sarif'
+
+  trivy-bundle:
+    name: Trivy for bundle
+    uses: wabarc/.github/.github/workflows/reusable-trivy.yml@main
+    needs: allinone
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      #actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    with:
+      scan-type: 'image'
+      image-ref: '${{ needs.allinone.outputs.image }}:${{ needs.allinone.outputs.version }}'
+      sarif: 'container-bundle.sarif'
diff --git a/docs/changelog.md b/docs/changelog.md
@@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Add support for publish to Nostr ([#311](https://github.com/wabarc/wayback/pull/311))
   - Message content styling
 - Add documentation ([#330](https://github.com/wabarc/wayback/pull/330))
+- Add Trivy workflow ([#340](https://github.com/wabarc/wayback/pull/340))
 
 ### Changed
 - Sign images using cosign
