From bc9b7e1cf7a0694e355c5d23b5e323a07e8ba670 Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Sat, 28 Mar 2026 20:37:20 -0700 Subject: [PATCH] ci: add Trivy CVE scan to container release workflow --- .github/workflows/container_latest.yml | 37 +++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/.github/workflows/container_latest.yml b/.github/workflows/container_latest.yml index 27e131a52..e1d18ffa7 100644 --- a/.github/workflows/container_latest.yml +++ b/.github/workflows/container_latest.yml @@ -26,6 +26,7 @@ on: permissions: contents: read + security-events: write jobs: setup: @@ -149,9 +150,43 @@ jobs: # Remove Go build cache sudo rm -rf /tmp/go-build* - create-manifest: + trivy-scan: runs-on: ubuntu-latest needs: [setup, build] + strategy: + matrix: + variant: ${{ fromJSON(needs.setup.outputs.variants) }} + steps: + - name: Configure variant + id: config + run: | + if [ "${{ matrix.variant }}" == "large_disk" ]; then + echo "tag_suffix=_large_disk" >> $GITHUB_OUTPUT + else + echo "tag_suffix=" >> $GITHUB_OUTPUT + fi + - name: Login to GHCR + uses: docker/login-action@v4 + with: + registry: ghcr.io + username: ${{ secrets.GHCR_USERNAME }} + password: ${{ secrets.GHCR_TOKEN }} + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: ghcr.io/chrislusf/seaweedfs:${{ github.event_name == 'workflow_dispatch' && github.event.inputs.image_tag || 'latest' }}${{ steps.config.outputs.tag_suffix }}-amd64 + format: sarif + output: trivy-results.sarif + severity: HIGH,CRITICAL + - name: Upload Trivy scan results to GitHub Security + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: trivy-results.sarif + + create-manifest: + runs-on: ubuntu-latest + needs: [setup, build, trivy-scan] if: github.event_name != 'pull_request' strategy: matrix: