Adding Trivy code scanner (#22326)

* Add initial repo scan * Do not upload anything yet * Uploading now * Changing for docker image * Test on branch * Upload to github | ignore some directories | abort on new commit * Return to master branch * Removing space * Moving Trivy to uberjar.yml * Fixing `a step cannot have both the `uses` and `run` keys`

Adding Trivy code scanner (#22326)
0ecb24cb · Diogo Mendes · GitHub · af726b9c · 0ecb24cb
Unverified Commit 0ecb24cb authored 2 years ago by Diogo Mendes Committed by GitHub 2 years ago
--- a/.github/workflows/uberjar.yml
+++ b/.github/workflows/uberjar.yml
@@ -9,6 +9,10 @@ on:
    - ".**"
    - "test*"

+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
  build:
    name: Build MB ${{ matrix.edition }}
@@ -114,9 +118,40 @@ jobs:
    - name: Retag and push images if master or main (ee)
      if: ${{ (github.ref_name == 'master' || github.ref_name == 'main') && matrix.edition == 'ee' }}
      run: docker tag localhost:5000/metabase-dev:${{ steps.extract_branch.outputs.branch }}-ee metabase/metabase-enterprise-head:latest && docker push metabase/metabase-enterprise-head:latest
+
    - name: Retag and push images if master or main (oss)
      if: ${{ (github.ref_name == 'master' || github.ref_name == 'main') && matrix.edition == 'oss' }}
      run: docker tag localhost:5000/metabase-dev:${{ steps.extract_branch.outputs.branch }}-oss metabase/metabase-head:latest && docker push metabase/metabase-head:latest
+
    - name: Retag and push images if branch
      if: ${{ !(startsWith(github.ref_name,'master') || startsWith(github.ref_name,'main') || startsWith(github.ref_name,'backport')) && matrix.edition == 'ee' }}
      run: docker tag localhost:5000/metabase-dev:${{ steps.extract_branch.outputs.branch }}-ee metabase/metabase-dev:${{ steps.extract_branch.outputs.branch }} && docker push metabase/metabase-dev:${{ steps.extract_branch.outputs.branch }}
+
+    - name: Run Trivy vulnerability scanner if master or main (ee)
+      if: ${{ (github.ref_name == 'master' || github.ref_name == 'main') && matrix.edition == 'ee' }}
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: docker.io/metabase-enterprise-head:latest
+        format: sarif
+        output: trivy-results.sarif
+
+    - name: Run Trivy vulnerability scanner if master or main (oss)
+      if: ${{ (github.ref_name == 'master' || github.ref_name == 'main') && matrix.edition == 'oss' }}
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: docker.io/metabase/metabase-head:latest
+        format: sarif
+        output: trivy-results.sarif
+
+    - name: Run Trivy vulnerability scanner if dev branch
+      if: ${{ !(startsWith(github.ref_name,'master') || startsWith(github.ref_name,'main') || startsWith(github.ref_name,'backport')) && matrix.edition == 'ee' }}
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: docker.io/metabase/metabase-dev:${{ steps.extract_branch.outputs.branch }}
+        format: sarif
+        output: trivy-results.sarif
+
+    - name: Upload Trivy scan results to GitHub Security tab
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: 'trivy-results.sarif'