Skip to content

fix(security): use official trivy image and remediate dependency CVEs #1

fix(security): use official trivy image and remediate dependency CVEs

fix(security): use official trivy image and remediate dependency CVEs #1

Workflow file for this run

name: Docker PR Build
on:
pull_request:
branches: [main]
workflow_dispatch:
jobs:
docker:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v2
# Builds the full Dockerfile, including the SBOM stage that runs
# `trivy sbom ... --exit-code 1`. The build fails if trivy installation
# breaks or any UNKNOWN/HIGH/CRITICAL dependency CVE is present.
# No push: this only validates that the image builds and passes the
# trivy vulnerability gate.
- name: Build (incl. trivy SBOM gate)
uses: docker/build-push-action@v4
with:
context: ./
file: ./Dockerfile
builder: ${{ steps.buildx.outputs.name }}
push: false
load: false
platforms: linux/amd64
cache-from: type=registry,ref=ghcr.io/${{ github.repository }}:buildcache