lars/pipelines
1
0
Fork 0
Code Issues Pull Requests Actions Packages Releases 1 Activity
Files
77a5c67b71bc2a1035935e1725fa775904bd7402
pipelines/.github/workflows/trivy_fs.yaml
Lars Hampe 77a5c67b71
All checks were successful
Docker / Images (push) Successful in 40s
Details
feat: add version inputs for sonarqube and dependency track
2026-03-20 23:54:33 +01:00

86 lines
2.7 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

on:
workflow_call:
inputs:
version:
required: false
type: string
default: ''
secrets:
DEPENDENCYTRACK_URL:
required: true
DEPENDENCYTRACK_API_KEY:
required: true
DEPENDENCYTRACK_PROJECT_UUID:
required: true
name: Trivy
jobs:
trivy:
name: SBOM & Dependency Track
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install Trivy
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \
| sh -s -- -b /usr/local/bin
trivy --version
- name: Generate SBOM
run: |
trivy fs . \
--format cyclonedx \
--output sbom.json \
--quiet
echo "✅ SBOM generated"
- name: Upload SBOM to Dependency-Track
run: |
HTTP_STATUS=$(curl --silent \
--output /tmp/dt-response.json \
--write-out "%{http_code}" \
-X POST "${{ secrets.DEPENDENCYTRACK_URL }}/api/v1/bom" \
-H "X-Api-Key: ${{ secrets.DEPENDENCYTRACK_API_KEY }}" \
-H "Content-Type: multipart/form-data" \
-F "project=${{ secrets.DEPENDENCYTRACK_PROJECT_UUID }}" \
-F "projectVersion=${{ inputs.version }}" \
-F "bom=@sbom.json")
echo "Response: $(cat /tmp/dt-response.json)"
if [ "$HTTP_STATUS" -ne 200 ]; then
echo "❌ Upload failed HTTP Status: ${HTTP_STATUS}"
exit 1
fi
echo "✅ SBOM uploaded"
- name: Check Dependency-Track Results
run: |
echo "⏳ Wait for results..."
sleep 15
curl --silent \
"${{ secrets.DEPENDENCYTRACK_URL }}/api/v1/metrics/project/${{ secrets.DEPENDENCYTRACK_PROJECT_UUID }}/current" \
-H "X-Api-Key: ${{ secrets.DEPENDENCYTRACK_API_KEY }}" \
| python3 -c "
import sys, json
d = json.load(sys.stdin)
critical = d.get('critical', 0)
high = d.get('high', 0)
medium = d.get('medium', 0)
low = d.get('low', 0)
print(f'┌─ Dependency-Track Results ────')
print(f'│ Critical : {critical}')
print(f'│ High : {high}')
print(f'│ Medium : {medium}')
print(f'│ Low : {low}')
print(f'└───────────────────────────────')
if critical > 0:
print('❌ Critical found!')
sys.exit(1)
print('✅ Passed')
"
Reference in New Issue View Git Blame Copy Permalink