feat: add pip file scanning

jon-nfc · jon-nfc · commit e9e6a6a83d77 · 2024-08-11T19:53:40.000+09:30
diff --git a/.github/workflows/python.yaml b/.github/workflows/python.yaml
@@ -379,3 +379,35 @@ jobs:
           echo "[Debug] PWD[${PWD}]";
           echo "[Debug] ****************************";
           git push
+
+
+
+  vulnerability-scan:
+    name: Repo scan
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Run Trivy vulnerability scanner (sarif Report)
+        if:
+          (${{
+            inputs.DOCKER_SCAN_IMAGE_VULNERABILITY
+          }})
+        uses: aquasecurity/trivy-action@0.20.0
+        with:
+          image-ref: '${{ inputs.DOCKER_BUILD_REGISTRY }}/${{ inputs.DOCKER_BUILD_IMAGE_NAME }}:${{ inputs.DOCKER_BUILD_IMAGE_TAG }}'
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: 'LOW,MEDIUM,HIGH,CRITICAL'
+          vuln-type: 'os'
+          scanners: vuln
+          ignore-unfixed: true
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        if:
+          (${{
+            inputs.DOCKER_SCAN_IMAGE_VULNERABILITY
+          }})
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
+
