Skip to content

Trivy Scan

Trivy Scan #138

Workflow file for this run

name: Trivy Scan
on:
schedule:
# Run at midnight SGT (UTC+8) daily - 16:00 UTC
- cron: '0 16 * * *'
push:
branches: [dev]
workflow_dispatch:
jobs:
trivy-scan:
runs-on: ubuntu-latest
env:
TRIVY_EXCLUDE_SERVICES: ${{ secrets.TRIVY_EXCLUDE_SERVICES }}
steps:
- name: Maximize build space
uses: AdityaGarg8/remove-unwanted-software@v4.1
with:
remove-android: 'true'
remove-haskell: 'true'
remove-codeql: 'true'
- name: Free up additional space
run: |
sudo rm -rf /usr/share/dotnet
sudo rm -rf /usr/local/lib/android
sudo rm -rf /opt/ghc
sudo rm -rf /opt/hostedtoolcache/CodeQL
sudo docker system prune -af
sudo apt-get autoremove -y
sudo apt-get autoclean
echo "=== Disk space after cleanup ==="
df -h
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Install Trivy CLI
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
- name: Extract metadata
id: meta
run: |
SHORT_SHA=$(git rev-parse --short HEAD)
echo "SHORT_SHA=$SHORT_SHA" >> $GITHUB_ENV
git fetch --tags
LATEST_TAG=$(git tag --list 'v*.*.*' | sort -V | tail -n1)
FALLBACK_TAG="${LATEST_TAG:-v0.0.0}"
echo "GIT_TAG=${FALLBACK_TAG}-${SHORT_SHA}" >> $GITHUB_ENV
echo "REPO_OWNER_LC=${GITHUB_REPOSITORY_OWNER,,}" >> $GITHUB_ENV
- name: Copy example.env to .env
run: |
echo "Copying example.env to .env..."
find . -name "example.env" | while read f; do
cp "$f" "$(dirname "$f")/.env"
echo "✓ Created $(dirname "$f")/.env"
done
- name: Run Trivy scan for each service individually
run: |
echo "=== Getting all services from docker-compose.yml ==="
ALL_SERVICES=$(docker compose config --services)
FAILED_SERVICES=""
SUCCESSFUL_SERVICES=""
for SERVICE in $ALL_SERVICES; do
if [[ " $TRIVY_EXCLUDE_SERVICES " =~ " $SERVICE " ]]; then
echo "Skipping $SERVICE (excluded via secret)"
continue
fi
echo ""
echo "=========================================="
echo "Scanning $SERVICE"
echo "=========================================="
# Build the service
echo "Building $SERVICE..."
docker compose build $SERVICE
# Get image ID for this service
IMAGE_ID=$(docker images --filter=reference="*${SERVICE}*" --format "{{.ID}}" | head -n1)
if [[ -z "$IMAGE_ID" ]]; then
echo "✗ No image found for $SERVICE after build"
FAILED_SERVICES="$FAILED_SERVICES $SERVICE"
continue
fi
echo "Running Trivy scan on $SERVICE ($IMAGE_ID)..."
if trivy image --exit-code 1 --severity CRITICAL,HIGH --no-progress "$IMAGE_ID"; then
echo "✓ $SERVICE passed Trivy scan"
SUCCESSFUL_SERVICES="$SUCCESSFUL_SERVICES $SERVICE"
else
echo "✗ $SERVICE failed Trivy scan"
FAILED_SERVICES="$FAILED_SERVICES $SERVICE"
fi
# Clean up this service’s build artifacts
docker compose rm -f $SERVICE || true
docker builder prune --force
docker system prune --force
echo "=== Disk space after scanning $SERVICE ==="
df -h | grep -E "(/$)"
done
echo ""
echo "=========================================="
echo "TRIVY SCAN SUMMARY"
echo "=========================================="
if [ ! -z "$SUCCESSFUL_SERVICES" ]; then
echo "✓ PASSED:$SUCCESSFUL_SERVICES"
fi
if [ ! -z "$FAILED_SERVICES" ]; then
echo "✗ FAILED:$FAILED_SERVICES"
exit 1
fi
echo "All services passed Trivy scan!"