@@ -20,7 +20,7 @@ permissions:
2020 security-events : write
2121
2222# A workflow run is made up of one or more jobs that can run sequentially or in parallel
23- jobs :
23+ jobs :
2424 iac-scan :
2525 # The type of runner that the job will run on
2626 runs-on : ubuntu-latest
5858 if : steps.changed-files.outputs.any_changed == 'true'
5959 uses : docker/setup-buildx-action@v3
6060
61+ - name : Log in to Docker Hub
62+ if : steps.changed-files.outputs.any_changed == 'true'
63+ uses : docker/login-action@v3.3.0
64+ with :
65+ username : ${{ secrets.DOCKERHUB_USERNAME }}
66+ password : ${{ secrets.DOCKERHUB_TOKEN }}
67+
68+ - name : Extract metadata (tags, labels) for Docker
69+ if : steps.changed-files.outputs.any_changed == 'true'
70+ id : meta
71+ uses : docker/metadata-action@v5.5.1
72+ with :
73+ images : georgedavisibexlabs/publish-sarif-to-jira
74+
6175 - name : Build Docker image
6276 if : steps.changed-files.outputs.any_changed == 'true'
6377 uses : docker/build-push-action@v6.6.1
@@ -66,16 +80,17 @@ jobs:
6680 file : Dockerfile
6781 push : false
6882 # sbom: true
69- tags : georgedavisibexlabs/publish-sarif-to-jira:build
83+ tags : ${{ steps.meta.outputs.tags }}
84+ labels : ${{ steps.meta.outputs.labels }}
7085
7186 - name : Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
7287 if : steps.changed-files.outputs.any_changed == 'true'
7388 uses : aquasecurity/trivy-action@0.24.0
7489 with :
75- scan-type : ' fs '
76- format : ' github'
77- output : ' dependency-results.sbom.json'
78- image-ref : ' . '
90+ scan-type : " fs "
91+ format : " github"
92+ output : " dependency-results.sbom.json"
93+ image-ref : " georgedavisibexlabs/publish-sarif-to-jira:main "
7994 github-pat : ${{ secrets.GITHUB_TOKEN }}
8095
8196 - name : Upload trivy SBOM as a Github artifact
@@ -86,30 +101,22 @@ jobs:
86101 path : trivy-dependency-results.sbom.json
87102 retention-days : 30
88103
89- - name : List Docker Containers
90- if : steps.changed-files.outputs.any_changed == 'true'
91- run : ' docker ps -a'
104+ - name : Run Trivy Image scanner
105+ uses : aquasecurity/trivy-action@0.24.0
106+ with :
107+ scan-type : " image"
108+ image-ref : " georgedavisibexlabs/publish-sarif-to-jira:main"
109+ limit-severities-for-sarif : true
110+ trivy-config : .github/config/trivy-sarif.yaml
92111
93- - name : List Docker Images
94- if : steps.changed-files.outputs.any_changed == 'true'
95- run : ' docker images'
96-
97- # - name: Run Trivy Image scanner
98- # uses: aquasecurity/trivy-action@0.24.0
99- # with:
100- # scan-type: 'image'
101- # image-ref: 'georgedavisibexlabs/publish-sarif-to-jira'
102- # limit-severities-for-sarif: true
103- # trivy-config: .github/config/trivy-sarif.yaml
104-
105- # - name: Upload Trivy Image scan results
106- # uses: actions/upload-artifact@v4.3.6
107- # with:
108- # name: trivy-image-scan-results
109- # path: trivy-image-scan-results.sarif
110- # retention-days: 30
111-
112- # - name: Upload Trivy scan results to GitHub Security tab
113- # uses: github/codeql-action/upload-sarif@v3
114- # with:
115- # sarif_file: 'trivy-image-scan-results.sarif'
112+ - name : Upload Trivy Image scan results
113+ uses : actions/upload-artifact@v4.3.6
114+ with :
115+ name : trivy-image-scan-results
116+ path : trivy-image-scan-results.sarif
117+ retention-days : 30
118+
119+ - name : Upload Trivy scan results to GitHub Security tab
120+ uses : github/codeql-action/upload-sarif@v3
121+ with :
122+ sarif_file : " trivy-image-scan-results.sarif"
0 commit comments