diff --git a/.github/workflows/cve.yaml b/.github/workflows/cve.yaml new file mode 100644 index 0000000000..8a8c2ac09e --- /dev/null +++ b/.github/workflows/cve.yaml @@ -0,0 +1,68 @@ +name: CVE checks docker master +on: + workflow_dispatch: + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 8 15 * *' +jobs: + build-and-test: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + + - name: Cache local Maven repository + uses: actions/cache@v2 + with: + path: ~/.m2/repository + key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} + restore-keys: | + ${{ runner.os }}-maven- + + - name: Set up JDK 1.13 + uses: actions/setup-java@v1 + with: + java-version: 1.13 + + - name: Build project + id: build + run: | + mvn versions:set -DnewVersion=$GITHUB_SHA + mvn clean package -DskipTests + export VERSION=$(mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec) + echo "::set-output name=version::${VERSION}" + + - name: Set up QEMU + uses: docker/setup-qemu-action@v1 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v1 + + - name: Cache Docker layers + uses: actions/cache@v2 + with: + path: /tmp/.buildx-cache + key: ${{ runner.os }}-buildx-${{ github.sha }} + restore-keys: | + ${{ runner.os }}-buildx- + + - name: Build docker image + uses: docker/build-push-action@v2 + with: + builder: ${{ steps.buildx.outputs.name }} + context: kafka-ui-api + platforms: linux/amd64 + push: false + load: true + tags: | + provectuslabs/kafka-ui:${{ steps.build.outputs.version }} + build-args: | + JAR_FILE=kafka-ui-api-${{ steps.build.outputs.version }}.jar + cache-from: type=local,src=/tmp/.buildx-cache + cache-to: type=local,dest=/tmp/.buildx-cache + + - name: Run CVE checks + uses: aquasecurity/trivy-action@0.2.2 + with: + image-ref: "provectuslabs/kafka-ui:${{ steps.build.outputs.version }}" + format: "table" + exit-code: "1"