trivy ci

raw-labs · Mar 4, 2025 · 688f39e · 688f39e
1 parent 6b78500
commit 688f39e
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 2 deletions.
diff --git a/.github/workflows/docker-ci.yaml b/.github/workflows/docker-ci.yaml
@@ -5,13 +5,52 @@ on:
       - .github/workflows/docker-ci.yaml
       - .github/scripts/**
       - build.sbt
+      - src/**
 
 env:
   GITHUB_TOKEN: ${{ secrets.READ_PACKAGES }}
 
 jobs:
-  build:
+  build-and-test:
+    name: Build, Scan & Test
     runs-on: self-hosted
     steps:
       - uses: actions/checkout@v4
-      - run: .github/scripts/dnd-sbt Docker/publishLocal
+
+      - name: Build Docker image
+        run: |
+          .github/scripts/dnd-sbt Docker/publishLocal
+          IMAGE_NAME=$(.github/scripts/dnd-sbt printDockerImageName | grep DOCKER_IMAGE | cut -d= -f2)
+          echo "IMAGE=${IMAGE_NAME}" >> $GITHUB_ENV
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.IMAGE }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Test image - run container
+        run: |
+          CONTAINER_ID=$(docker run -d -p 50051 ${IMAGE})
+          echo "CONTAINER_ID=${CONTAINER_ID}" >> $GITHUB_ENV
+          sleep 15
+
+      - name: Test image - verify service is running
+        run: |
+          docker exec ${CONTAINER_ID} /opt/docker/bin/healthcheck.sh
+          if [ $? -ne 0 ]; then
+            echo "Service check failed!"
+            exit 1
+          fi
+
+      - name: Cleanup container
+        if: always()
+        run: |
+          if [ ! -z "${CONTAINER_ID}" ]; then
+            docker stop ${CONTAINER_ID}
+            docker rm ${CONTAINER_ID}
+          fi
diff --git a/build.sbt b/build.sbt
@@ -160,3 +160,12 @@ lazy val dockerSettings = strictBuildSettings ++ Seq(
       case None             => Seq(baseAlias)
     }
   })
+
+lazy val printDockerImageName = taskKey[Unit]("Prints the full Docker image name that will be produced")
+
+printDockerImageName := {
+  // Get the main Docker alias (the first one in the sequence)
+  val alias = (Docker / dockerAliases).value.head
+  // The toString method already returns the full image name with registry and tag
+  println(s"DOCKER_IMAGE=${alias}")
+}