add trivy scan to 3 module builds

jianmingtu · jianmingtu · commit 1366ac132f2e · 2025-04-08T09:37:11.000-07:00
diff --git a/.github/workflows/dev-efiling-admin-build.yaml b/.github/workflows/dev-efiling-admin-build.yaml
@@ -27,6 +27,26 @@ jobs:
         run: |
           docker compose build efiling-demo
           docker tag jag-file-submission-efiling-demo artifacts.developer.gov.bc.ca/efc7-efiling-admin/efiling-admin:dev
+
+      #Run Vulnerability Scan usinig Trivy scanner
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: image
+          image-ref: jag-file-submission-efiling-demo
+          format: sarif
+          output: trivy-results.sarif
+          exit-code: 1
+          ignore-unfixed: true
+          limit-severities-for-sarif: true
+          severity: HIGH,CRITICAL
+
+      #Upload results to the Github security tab.
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif
       
       - name: Docker Push to Artifactory
         run: |
diff --git a/.github/workflows/dev-efiling-api-build.yaml b/.github/workflows/dev-efiling-api-build.yaml
@@ -31,6 +31,26 @@ jobs:
         run: |
           docker compose build efiling-api
           docker tag jag-file-submission-efiling-api artifacts.developer.gov.bc.ca/efc7-efiling-api/efiling-api:dev
+
+      #Run Vulnerability Scan usinig Trivy scanner
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: image
+          image-ref: jag-file-submission-efiling-api
+          format: sarif
+          output: trivy-results.sarif
+          exit-code: 1
+          ignore-unfixed: true
+          limit-severities-for-sarif: true
+          severity: HIGH,CRITICAL
+
+      #Upload results to the Github security tab.
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif
       
       - name: Docker Push to Artifactory
         run: |
diff --git a/.github/workflows/dev-efiling-frontend-build.yaml b/.github/workflows/dev-efiling-frontend-build.yaml
@@ -26,6 +26,26 @@ jobs:
         run: |
           docker compose build efiling-frontend
           docker tag jag-file-submission-efiling-frontend artifacts.developer.gov.bc.ca/efc7-efiling-frontend/efiling-frontend:dev
+
+      #Run Vulnerability Scan usinig Trivy scanner
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: image
+          image-ref: jag-file-submission-efiling-frontend
+          format: sarif
+          output: trivy-results.sarif
+          exit-code: 1
+          ignore-unfixed: true
+          limit-severities-for-sarif: true
+          severity: HIGH,CRITICAL
+
+      #Upload results to the Github security tab.
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: trivy-results.sarif
       
       - name: Docker Push to Artifactory
         run: |
