Merge pull request #240 from cisagov/improvement/add_trivy_scanning

mcdonnnj · web-flow · commit 646c3bd7cb54 · 2025-07-10T17:46:08.000Z
Scan the Docker image for vulnerabilities at build time
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -29,6 +29,7 @@ updates:
       # Managed by cisagov/skeleton-docker
       # - dependency-name: actions/download-artifact
       # - dependency-name: actions/upload-artifact
+      # - dependency-name: aquasecurity/trivy-action
       # - dependency-name: docker/build-push-action
       # - dependency-name: docker/login-action
       # - dependency-name: docker/metadata-action
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -362,6 +362,54 @@ jobs:
       - name: Setup tmate debug session
         uses: mxschmitt/action-tmate@v3
         if: env.RUN_TMATE
+  scan:
+    name: Scan the image for vulnerabilities
+    needs:
+      - diagnostics
+      - repo-metadata
+      - build
+    permissions:
+      # actions/checkout needs this to fetch code
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Apply standard cisagov job preamble
+        uses: cisagov/action-job-preamble@v1
+        with:
+          # This functionality is poorly implemented and has been
+          # causing problems due to the MITM implementation hogging or
+          # leaking memory.  As a result we disable it by default.  If
+          # you want to temporarily enable it, simply set
+          # monitor_permissions equal to "true".
+          #
+          # TODO: Re-enable this functionality when practical.  See
+          # cisagov/skeleton-docker#224 for more details.
+          monitor_permissions: "false"
+          # Use a variable to specify the permissions monitoring
+          # configuration. By default this will yield the
+          # configuration stored in the cisagov organization-level
+          # variable, but if you want to use a different configuration
+          # then simply:
+          # 1. Create a repository-level variable with the name
+          # ACTIONS_PERMISSIONS_CONFIG.
+          # 2. Set this new variable's value to the configuration you
+          # want to use for this repository.
+          #
+          # Note in particular that changing the permissions
+          # monitoring configuration *does not* require you to modify
+          # this workflow.
+          permissions_monitoring_config: ${{ vars.ACTIONS_PERMISSIONS_CONFIG }}
+      - name: Download docker image artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist
+      - name: Load docker image
+        run: docker load < dist/image.tar.gz
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.32.0
+        with:
+          image-ref: ${{ needs.repo-metadata.outputs.image-name }}:latest
   test:
     # Executes tests on the single-platform image created in the "build" job.
     name: Test image
@@ -450,6 +498,7 @@ jobs:
       - lint
       - repo-metadata
       - prepare
+      - scan
       - test
     permissions:
       # actions/checkout needs this to fetch code
diff --git a/trivy.yml b/trivy.yml
@@ -0,0 +1,7 @@
+---
+# Fail if something is flagged
+exit-code: 1
+# Only flag critical and high vulnerabilities
+severity:
+  - CRITICAL
+  - HIGH
