ci: add trivy image scanning (#1663)

* add trivy image scanning * implement as partial workflow * support both the frontend and backend Dockerfiles for scanning * fix docker build context location
2025-07-09 03:04:54 -04:00 · 2022-11-30 22:21:46 -07:00 · 2022-11-30 22:21:46 -07:00 · 0801f0a908
commit 0801f0a908
parent 82dc586bac
3 changed files with 70 additions and 0 deletions
--- a/.github/workflows/partial-trivy-backend-container-scanning.yml
+++ b/.github/workflows/partial-trivy-backend-container-scanning.yml
@ -0,0 +1,31 @@
+name: Trivy Backend Container Scanning
+
+on:
+  workflow_call:
+
+jobs:
+  build:
+    name: Build and Scan Backend Container
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Build Dockerfile
+        run: |
+          docker build -t mealie .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          ignore-unfixed: true
+          image-ref: "mealie"
+          format: "sarif"
+          output: "trivy-results.sarif"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "trivy-results.sarif"
--- a/.github/workflows/partial-trivy-frontend-container-scanning.yml
+++ b/.github/workflows/partial-trivy-frontend-container-scanning.yml
@ -0,0 +1,31 @@
+name: Trivy Frontend Container Scanning
+
+on:
+  workflow_call:
+
+jobs:
+  build:
+    name: Build and Scan Frontend Container
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: true
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Build Dockerfile
+        run: |
+          docker build -t mealie ./frontend/
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          ignore-unfixed: true
+          image-ref: "mealie"
+          format: "sarif"
+          output: "trivy-results.sarif"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: "trivy-results.sarif"
--- a/.github/workflows/pull-requests.yml
+++ b/.github/workflows/pull-requests.yml
@ -13,3 +13,11 @@ jobs:
  frontend-tests:
    name: "Frontend and End-to-End Tests"
    uses: ./.github/workflows/partial-frontend.yml
+
+  backend-container-scanning:
+    name: "Trivy Backend Container Scanning"
+    uses: ./.github/workflows/partial-trivy-backend-container-scanning.yml
+
+  frontend-container-scanning:
+    name: "Trivy Frontend Container Scanning"
+    uses: ./.github/workflows/partial-trivy-frontend-container-scanning.yml