ci: add container scanning to default checks

Fixes hyperledger-cacti#1876 Depends On: hyperledger-cacti#2121 Depends On: hyperledger-cacti#2135 Signed-off-by: zondervancalvez <zondervan.v.calvez@accenture.com>
zondervancalvez · Aug 15, 2023 · 632c5d5 · 632c5d5
1 parent b910681
commit 632c5d5
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -1345,7 +1345,17 @@ jobs:
     steps:
       - uses: actions/checkout@v3.5.2
       - name: ghcr.io/hyperledger/cactus-besu-all-in-one
-        run: DOCKER_BUILDKIT=1 docker build ./tools/docker/besu-all-in-one/ -f ./tools/docker/besu-all-in-one/Dockerfile
+        run: DOCKER_BUILDKIT=1 docker build ./tools/docker/besu-all-in-one/ -f ./tools/docker/besu-all-in-one/Dockerfile -t cactus-besu-all-in-one
+      - name: Run Trivy vulnerability scan for cactus-besu-all-in-one
+        uses: aquasecurity/trivy-action@0.11.2
+        with:
+          image-ref: 'cactus-besu-all-in-one'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
   ghcr-cmd-api-server:
     runs-on: ubuntu-20.04
     steps: