7777 name : " eps-devcontainer-base-${{ inputs.docker_tag }}-${{ matrix.arch }}.img"
7878 path : |
7979 eps-devcontainer-base-${{ inputs.docker_tag }}-${{ matrix.arch }}.img
80- name : Check docker vulnerabilities
80+ name : Check docker vulnerabilities - json output
81+ uses : aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
82+ with :
83+ scan-type : " image"
84+ image-ref : " ghcr.io/nhsdigital/eps-devcontainers:${{ inputs.docker_tag }}-${{ matrix.arch }}"
85+ severity : " CRITICAL,HIGH"
86+ scanners : " vuln"
87+ vuln-type : " os,library"
88+ format : " json"
89+ output : " scan_results_docker_${{ matrix.arch }}.json"
90+ exit-code : " 0"
91+ trivy-config : trivy.yaml
92+ - uses : actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f
93+ name : Upload scan results
94+ with :
95+ name : " scan_results_docker_${{ matrix.arch }}.json"
96+ path : |
97+ "scan_results_docker_${{ matrix.arch }}.json"
98+ name : Check docker vulnerabilities - table output
8199 uses : aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8
82100 with :
83101 scan-type : " image"
@@ -86,16 +104,16 @@ jobs:
86104 scanners : " vuln"
87105 vuln-type : " os,library"
88106 format : " table"
89- output : " dependency_results_docker .txt"
107+ output : " scan_results_docker .txt"
90108 exit-code : " 1"
91109 trivy-config : trivy.yaml
92110
93111 - name : Show docker vulnerability output
94112 if : always()
95113 run : |
96114 echo "Scan output for ghcr.io/nhsdigital/eps-devcontainers:${DOCKER_TAG}-${ARCHITECTURE}"
97- if [ -f dependency_results_docker .txt ]; then
98- cat dependency_results_docker .txt
115+ if [ -f scan_results_docker .txt ]; then
116+ cat scan_results_docker .txt
99117 fi
100118env :
101119 ARCHITECTURE : ' ${{ matrix.arch }}'
0 commit comments