add image scan for test and publish workflows #126
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Run Tests | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| paths: | |
| - trusted_library/** | |
| - openapi/** | |
| - src/** | |
| pull_request: | |
| branches: [ "main" ] | |
| permissions: | |
| contents: read | |
| jobs: | |
| build: | |
| name: test | |
| runs-on: ubuntu-latest | |
| outputs: | |
| version: ${{ steps.properties.outputs.version }} | |
| changelog: ${{ steps.properties.outputs.changelog }} | |
| steps: | |
| # Check out current repository | |
| - name: Fetch Sources | |
| uses: actions/checkout@v3.5.1 | |
| # Validate wrapper | |
| - name: Gradle Wrapper Validation | |
| uses: gradle/wrapper-validation-action@v1.0.6 | |
| # Setup Java 17 environment for the next steps | |
| - name: Setup Java | |
| uses: actions/setup-java@v3 | |
| with: | |
| distribution: zulu | |
| java-version: 17 | |
| cache: gradle | |
| - name: Run Tests | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: ./gradlew test | |
| - name: Run Trivy vulnerability scanner (Repo scan) | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' # 'fs' scans the filesystem (dependencies and IaC) | |
| scan-ref: '.' | |
| vuln-type: 'os,library' | |
| ignore-unfixed: true | |
| format: 'table' | |
| exit-code: '1' # Fails the PR if high/critical issues are found | |
| severity: 'CRITICAL,HIGH' |