Add cve checks wf (#1681)

2022-02-25 15:49:23 +03:00 · 2022-02-25 15:49:23 +03:00 · 04fbd05d11
commit 04fbd05d11
parent fd7ba5e195
1 changed files with 68 additions and 0 deletions
--- a/.github/workflows/cve.yaml
+++ b/.github/workflows/cve.yaml
@ -0,0 +1,68 @@
 name: CVE checks docker master
 on:
  workflow_dispatch:
  schedule:
    # * is a special character in YAML so you have to quote this string
    - cron:  '0 8 15 * *'
 jobs:
  build-and-test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Cache local Maven repository
        uses: actions/cache@v2
        with:
          path: ~/.m2/repository
          key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
          restore-keys: |
            ${{ runner.os }}-maven-
      - name: Set up JDK 1.13
        uses: actions/setup-java@v1
        with:
          java-version: 1.13
      - name: Build project
        id: build
        run: |
          mvn versions:set -DnewVersion=$GITHUB_SHA
          mvn clean package -DskipTests
          export VERSION=$(mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec)
          echo "::set-output name=version::${VERSION}"
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      - name: Cache Docker layers
        uses: actions/cache@v2
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-buildx-
      - name: Build docker image
        uses: docker/build-push-action@v2
        with:
          builder: ${{ steps.buildx.outputs.name }}
          context: kafka-ui-api
          platforms: linux/amd64
          push: false
          load: true
          tags: |
            provectuslabs/kafka-ui:${{ steps.build.outputs.version }}
          build-args: |
            JAR_FILE=kafka-ui-api-${{ steps.build.outputs.version }}.jar
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache
      - name: Run CVE checks
        uses: aquasecurity/trivy-action@0.2.2
        with:
          image-ref: "provectuslabs/kafka-ui:${{ steps.build.outputs.version }}"
          format: "table"
          exit-code: "1"