feat(ci): scan CP docker image with trivy

zama-ai · Oct 31, 2024 · a9a1882 · a9a1882
1 parent fe12713
commit a9a1882
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/.github/workflows/concrete_python_push_docker_image.yml b/.github/workflows/concrete_python_push_docker_image.yml
@@ -34,6 +34,16 @@ jobs:
           mkdir empty_context
           docker image build -t ${{ env.NAME_TAG }} --build-arg version=${{ env.VERSION }} -f ${{ env.DOCKER_FILE }} empty_context
 
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
+        with:
+          image-ref: '${{ env.NAME_TAG }}'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
       - name: Login to Docker Hub
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
         with: