Skip to content

Add Trivy image scan workflow #444

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
sidey79 wants to merge 2 commits into
base: dev
Choose a base branch
from
Draft

Add Trivy image scan workflow #444

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
acb1899
Add Trivy image scan workflow
May 2, 2026
c92e913
Merge branch 'dev' into feature/trivy-image-scan
sidey79 Jun 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
154 changes: 128 additions & 26 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -427,13 +427,13 @@ jobs:
--report "${CPAN_ARTIFACT_DIR}/verify/all/all-result.json"


test_build:
# The type of runner that the job will run on
needs: [get_dependencies, base_build]
runs-on: ubuntu-latest
strategy:
matrix:
dockerfile: [-bookworm, -threaded-bookworm]
test_build:
# The type of runner that the job will run on
needs: [get_dependencies, base_build]
runs-on: ubuntu-latest
strategy:
matrix:
dockerfile: [-bookworm, -threaded-bookworm]
# Steps represent a sequence of tasks that will be executed as part of the job
env:
TAG_LATEST: ${{ (contains(matrix.dockerfile,'threaded') || github.event.release.prerelease == 1) && 'false' || 'auto' }}
Expand Down Expand Up @@ -465,16 +465,25 @@ jobs:
name: cpanfile-3rdParty
path: 3rdParty

- name: Prepare docker for build and publish
id: prepareDOCKER
uses: ./.github/workflows/prepare-docker
- name: Prepare docker for build and publish
id: prepareDOCKER
uses: ./.github/workflows/prepare-docker
with:
DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }}
DOCKER_HUB_ACCESS_TOKEN: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
GHCR_OWNER: ${{ github.repository_owner }}
GHCR_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
DOCKERFILE: ${{ matrix.dockerfile }}

- name: Prepare local image tag variables
run: |
DOCKERFILE_SLUG="${{ matrix.dockerfile }}"
DOCKERFILE_SLUG="${DOCKERFILE_SLUG#-}"
echo "TRIVY_FULL_IMAGE=fhem-docker:${DOCKERFILE_SLUG}-amd64" >> "$GITHUB_ENV"
echo "TRIVY_MINIMAL_IMAGE=fhem-minimal-docker:${DOCKERFILE_SLUG}-amd64" >> "$GITHUB_ENV"
echo "TRIVY_FULL_SARIF=trivy-fhem-docker-${DOCKERFILE_SLUG}-amd64.sarif" >> "$GITHUB_ENV"
echo "TRIVY_MINIMAL_SARIF=trivy-fhem-minimal-docker-${DOCKERFILE_SLUG}-amd64.sarif" >> "$GITHUB_ENV"

- name: Restore CPM cache for amd64
uses: actions/cache/restore@v5
id: cache-cpm-restore
Expand Down Expand Up @@ -624,22 +633,28 @@ jobs:
type=gha,scope=full_linux/amd64${{ matrix.dockerfile }}
type=gha,scope=fhem_linux/amd64${{ matrix.dockerfile }}
cache-to: type=gha,mode=max,scope=full_linux/amd64${{ matrix.dockerfile }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
IMAGE_VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
IMAGE_VCS_REF=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
CPAN_CPM_CACHE_ID=perl-cpm${{ matrix.dockerfile }}-${{ env.CPAN_CPM_CACHE_VERSION }}
CPAN_CPM_VERSION=${{ env.CPAN_CPM_VERSION }}
CPAN_CPM_MIRROR=${{ env.CPAN_CPM_MIRROR }}
L_USAGE=${{ github.server_url }}/${{ github.repository }}/blob/${{ github.sha }}/README.md
L_VCS_URL=${{ github.server_url }}/${{ github.repository }}/
L_AUTHORS=${{ github.server_url }}/${{ github.repository }}/graphs/contributors

- name: Inspect and run integration tests
run: |
docker image inspect ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
L_VCS_URL=${{ github.server_url }}/${{ github.repository }}/
L_AUTHORS=${{ github.server_url }}/${{ github.repository }}/graphs/contributors

- name: Tag full image for Trivy scan
run: |
docker image tag \
"${{ fromJSON(steps.meta.outputs.json).tags[0] }}" \
"${TRIVY_FULL_IMAGE}"

- name: Inspect and run integration tests
run: |
docker image inspect ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
./scripts/test-integration.sh;

- name: Run build in unittests
Expand Down Expand Up @@ -678,13 +693,100 @@ jobs:
L_VCS_URL=${{ github.server_url }}/${{ github.repository }}/
L_AUTHORS=${{ github.server_url }}/${{ github.repository }}/graphs/contributors

- uses: Wandalen/wretry.action@v3.8.0
name: Run bats unit and integration tests in host network mode
with:
attempt_limit: 3
command: timeout 1m docker run --rm -e GITHUB_RUN_ID=$GITHUB_RUN_ID -v "${PWD}/src/tests/bats:/code" bats-withfhem-extended:latest -T -t . --filter-tags 'extendedOnly'

published_build:
- uses: Wandalen/wretry.action@v3.8.0
name: Run bats unit and integration tests in host network mode
with:
attempt_limit: 3
command: timeout 1m docker run --rm -e GITHUB_RUN_ID=$GITHUB_RUN_ID -v "${PWD}/src/tests/bats:/code" bats-withfhem-extended:latest -T -t . --filter-tags 'extendedOnly'

- name: Run Trivy scan for full image
id: trivy_full
continue-on-error: true
uses: aquasecurity/trivy-action@v0.35.0
with:
image-ref: ${{ env.TRIVY_FULL_IMAGE }}
scan-type: image
format: sarif
output: ${{ env.TRIVY_FULL_SARIF }}
vuln-type: os,library
severity: HIGH,CRITICAL
ignore-unfixed: true
exit-code: '1'

- name: Upload Trivy full image scan artifact
if: always()
uses: actions/upload-artifact@v7
with:
name: trivy-fhem-docker${{ matrix.dockerfile }}-amd64
path: ${{ env.TRIVY_FULL_SARIF }}
if-no-files-found: ignore
overwrite: true

- name: Build minimal image for Trivy scan
uses: docker/build-push-action@v7
id: docker_build_minimal_trivy
with:
context: .
load: true
file: ./Dockerfile${{ matrix.dockerfile }}
platforms: linux/amd64
push: false
target: with-fhem
cache-from: |
type=gha,scope=fhem_linux/amd64${{ matrix.dockerfile }}
type=gha,scope=base_linux/amd64${{ matrix.dockerfile }}
type=gha,scope=base-cpan_linux/amd64${{ matrix.dockerfile }}
tags: ${{ env.TRIVY_MINIMAL_IMAGE }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
IMAGE_VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
IMAGE_VCS_REF=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
CPAN_CPM_CACHE_ID=perl-cpm${{ matrix.dockerfile }}-${{ env.CPAN_CPM_CACHE_VERSION }}
CPAN_CPM_VERSION=${{ env.CPAN_CPM_VERSION }}
CPAN_CPM_MIRROR=${{ env.CPAN_CPM_MIRROR }}
L_USAGE=${{ github.server_url }}/${{ github.repository }}/blob/${{ github.sha }}/README.md
L_VCS_URL=${{ github.server_url }}/${{ github.repository }}/
L_AUTHORS=${{ github.server_url }}/${{ github.repository }}/graphs/contributors

- name: Run Trivy scan for minimal image
id: trivy_minimal
continue-on-error: true
uses: aquasecurity/trivy-action@v0.35.0
with:
image-ref: ${{ env.TRIVY_MINIMAL_IMAGE }}
scan-type: image
format: sarif
output: ${{ env.TRIVY_MINIMAL_SARIF }}
vuln-type: os,library
severity: HIGH,CRITICAL
ignore-unfixed: true
exit-code: '1'

- name: Upload Trivy minimal image scan artifact
if: always()
uses: actions/upload-artifact@v7
with:
name: trivy-fhem-minimal-docker${{ matrix.dockerfile }}-amd64
path: ${{ env.TRIVY_MINIMAL_SARIF }}
if-no-files-found: ignore
overwrite: true

- name: Assert Trivy scan results
if: always()
run: |
STATUS=0
if [ "${{ steps.trivy_full.outcome }}" != "success" ]; then
echo "Trivy reported HIGH or CRITICAL findings for ${TRIVY_FULL_IMAGE}."
STATUS=1
fi
if [ "${{ steps.trivy_minimal.outcome }}" != "success" ]; then
echo "Trivy reported HIGH or CRITICAL findings for ${TRIVY_MINIMAL_IMAGE}."
STATUS=1
fi
exit "$STATUS"

published_build:
runs-on: ubuntu-latest
needs: [test_build, cpan_build]
strategy:
Expand Down
Loading