[CI] Deploy CI

admin-cloudforet · admin-cloudforet · commit a1559dc86557 · 2023-05-09T19:08:54.000+09:00
diff --git a/.github/workflows/push_build_dev.yaml b/.github/workflows/push_build_dev.yaml
@@ -1,9 +1,14 @@
 name: "[Push] Build dev"
 
 on:
+  push:
+    branches:
+      - master
+    paths-ignore:
+      - '.github/**'
+      - 'src/VERSION'
+      - 'docs/**'
   workflow_dispatch:
-  repository_dispatch:
-    types: [master_push]
 
 env:
   SLACK_WEBHOOK_URL: ${{secrets.SLACK_WEBHOOK_URL}}
@@ -58,6 +63,82 @@ jobs:
             fields: repo,workflow,job
             author_name: Github Action Slack
 
+  scan:
+    needs: docker
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Run Trivy vulnerability scanner
+        id: trivy-scan
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: pyengine/${{ github.event.repository.name }}:${{ env.VERSION }}
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+      - name: Count vulnerabilities
+        id: vulnerabilities
+        run: |
+          count=$(jq '.runs[].results[].ruleId' ./trivy-results.sarif | wc -c)
+          echo "result_count=$count" >> $GITHUB_OUTPUT
+          echo "$count"
+
+      - name: slack
+        if:  ${{ steps.vulnerabilities.outputs.result_count != 0 }}
+        uses: 8398a7/action-slack@v3
+        with:
+          status: custom
+          fields: workflowRun
+          custom_payload: |
+            {
+              "blocks": [
+                {
+                  "type": "section",
+                  "text": {
+                    "type": "mrkdwn",
+                    "text": ":warning: Image vulnerability detected"
+                  }
+                },
+                {
+                  "type": "section",
+                  "fields": [
+                    {
+                      "type": "mrkdwn",
+                      "text": "*Image:*\n$pyengine/${{ github.event.repository.name }}:${{ env.VERSION }}"
+                    },
+                    {
+                      "type": "mrkdwn",
+                      "text": "*Repo name:*\n${{ github.repository }}"
+                    }
+                  ]
+                },
+                {
+                  "type": "actions",
+                  "elements": [
+                    {
+                      "type": "button",
+                      "text": {
+                        "type": "plain_text",
+                        "emoji": true,
+                        "text": "View Detail"
+                      },
+                      "style": "danger",
+                      "url": "https://github.com/${{ github.repository }}/security/code-scanning"
+                    }
+                  ]
+                }
+              ]
+            }
+        env:
+          SLACK_WEBHOOK_URL: ${{secrets.VULNERABILITY_SLACK_WEBHOOK_URL}} 
+
   notification:
     runs-on: ubuntu-latest
     needs: docker
