Add Trivy vulnerability scanning to CI workflow

2025-12-31 14:48:48 +01:00 · 2025-09-25 14:34:20 +03:00 · 2025-09-25 14:34:20 +03:00 · 19c362d0f3
commit 19c362d0f3
parent 09282183c1
1 changed files with 37 additions and 0 deletions
--- a/.github/workflows/e2e-testing.yml
+++ b/.github/workflows/e2e-testing.yml
@ -34,6 +34,21 @@ jobs:
          # Save the tag for later steps
          echo "WEKAN_IMAGE_TAG=$TAG" >> $GITHUB_ENV

+      - name: Install Trivy
+          run: |
+            sudo apt-get update
+            sudo apt-get install -y wget
+            wget https://github.com/aquasecurity/trivy/releases/latest/download/trivy_0.50.0_Linux-64bit.deb
+            sudo dpkg -i trivy_0.50.0_Linux-64bit.deb
+
+      - name: Scan Wekan Docker image for vulnerabilities
+          env:
+            WEKAN_IMAGE_TAG: ${{ env.WEKAN_IMAGE_TAG }}
+            DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+          run: |
+            docker pull $DOCKERHUB_USERNAME/wekan:$WEKAN_IMAGE_TAG
+            trivy image $DOCKERHUB_USERNAME/wekan:$WEKAN_IMAGE_TAG || true
+
      - name: Create .env file
        run: |
          echo "WEKAN_IMAGE=omriza5/wekan:${WEKAN_IMAGE_TAG}" >> .env
@ -83,6 +98,28 @@ jobs:
            sudo docker compose pull
            sudo docker compose up -d

+    security-scan:
+    needs: deploy
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install Trivy
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y wget
+          wget https://github.com/aquasecurity/trivy/releases/latest/download/trivy_0.50.0_Linux-64bit.deb
+          sudo dpkg -i trivy_0.50.0_Linux-64bit.deb
+
+      - name: Scan Wekan Docker image for vulnerabilities
+        env:
+          WEKAN_IMAGE_TAG: ${{ needs.deploy.outputs.wekan_image_tag }}
+          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+        run: |
+          docker pull $DOCKERHUB_USERNAME/wekan:$WEKAN_IMAGE_TAG
+          trivy image $DOCKERHUB_USERNAME/wekan:$WEKAN_IMAGE_TAG || true
+
  API-tests:
    needs: deploy
    runs-on: ubuntu-latest