ci: fix scan job (#34)

* ci: fix `scan` job * ci: remove duplicate `latest` push * ci: trigger CI * ci: upload vulnerabilities to GitHub Security * ci: add missing permission * ci: add missing permissions * ci: revert tests
dvsa · Jul 2, 2024 · d948eec · d948eec
1 parent 958a603
commit d948eec
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 3 deletions.
diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml
@@ -98,3 +98,5 @@ jobs:
       contents: read
       id-token: write
       packages: write
+      actions: read
+      security-events: write
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -59,3 +59,5 @@ jobs:
     permissions:
       contents: read
       id-token: write
+      actions: read
+      security-events: write
diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
@@ -58,11 +58,11 @@ jobs:
         id: meta
         uses: docker/metadata-action@v5
         with:
+          flavor: latest=true
           images: |
             ${{ env.REGISTRY }}/${{ inputs.repository }}
             ${{ env.REGISTRY_MIRROR }}/dvsa/dvsa-docker-images/${{ inputs.repository }}
           tags: |
-            type=raw,value=latest
             type=semver,enable=${{ inputs.is-release || inputs.is-schedule-release }},pattern={{major}}.{{minor}},value=${{ inputs.image-version }}
             type=semver,enable=${{ inputs.is-release || inputs.is-schedule-release }},pattern={{major}},value=${{ inputs.image-version }}
             type=semver,enable=${{ inputs.is-release }},pattern={{version}},value=${{ inputs.image-version }}
@@ -85,10 +85,10 @@ jobs:
         id: mutable-meta
         uses: docker/metadata-action@v5
         with:
+          flavor: latest=true
           # Only required for ECR (the main registry) as the mirror registry (GHCR) doesn't support tag immutability.
           images: ${{ env.REGISTRY }}/${{ inputs.repository }}
           tags: |
-            type=raw,value=latest
             type=semver,enable=${{ inputs.is-release || inputs.is-schedule-release }},pattern={{major}}.{{minor}},value=${{ inputs.image-version }}
             type=semver,enable=${{ inputs.is-release || inputs.is-schedule-release }},pattern={{major}},value=${{ inputs.image-version }}
 
@@ -153,6 +153,10 @@ jobs:
         with:
           ref: ${{ inputs.ref || null }}
           sparse-checkout: ${{ inputs.dockerfile-directory }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       - name: Build Docker image
         id: build-and-push
         uses: docker/build-push-action@v5
@@ -162,8 +166,15 @@ jobs:
           load: true
           tags: image-scan:latest
           cache-from: type=gha
-          cache-to: type=gha,mode=max
+
       - name: Scan
         uses: aquasecurity/trivy-action@0.23.0
         with:
           image-ref: ${{ steps.build-and-push.outputs.imageid }}
+          # format: 'sarif'
+          # output: 'trivy-results.sarif'
+
+      # - name: Upload Trivy scan results to GitHub Code Scanning
+      #   uses: github/codeql-action/upload-sarif@v3
+      #   with:
+      #     sarif_file: 'trivy-results.sarif'