Skip to content

Integrate Trivy into workflows #285

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nipunayf merged 7 commits into from
Sep 6, 2025
Merged

Integrate Trivy into workflows #285

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
c75f6a9
Add the trivy workflow
nipunayf Sep 5, 2025
4580b6b
Update Trivy workflow
nipunayf Sep 5, 2025
6b639aa
Update CycloneDX BOM plugin version
nipunayf Sep 5, 2025
c7784d5
Add trivy scanner to the release workflow
nipunayf Sep 5, 2025
222e7bd
Update Trivy schedule to run at 7 AM
nipunayf Sep 6, 2025
551c039
Update Gradle action to version 4
nipunayf Sep 6, 2025
9fafcca
Change Trivy workflow cron schedule to 12am daily
nipunayf Sep 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 21 additions & 5 deletions .github/workflows/publish-release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ on:
workflow_dispatch:
inputs:
is_prerelease:
description: 'Create a pre-release (RC) version'
description: "Create a pre-release (RC) version"
required: false
type: boolean
default: false
Expand Down Expand Up @@ -35,6 +35,22 @@ jobs:
restore-keys: |
${{ runner.os }}-ballerina-

- name: Generate SBOM
env:
packageUser: ${{ github.actor }}
packagePAT: ${{ secrets.GITHUB_TOKEN }}
run: ./gradlew cyclonedxBom

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: "sbom"
scan-ref: "build/sbom.json"
format: "table"
timeout: "10m0s"
exit-code: "1"
severity: "CRITICAL,HIGH"

- name: Set version env variable
run: |
# Extract BASE_VERSION from gradle.properties (strip any suffix after '-')
Expand All @@ -45,18 +61,18 @@ jobs:
# Pre release - determine the next RC number
# Fetch all tags to check for existing RC tags
git fetch --tags

# Find the highest RC number for this base version
HIGHEST_RC=$(git tag -l "v${BASE_VERSION}-rc.*" | sed "s/v${BASE_VERSION}-rc.//" | sort -n | tail -1)

if [ -z "$HIGHEST_RC" ]; then
# No RC tags found, start with rc1
RC_NUMBER=1
else
# Increment the highest RC number
RC_NUMBER=$((HIGHEST_RC + 1))
fi

echo VERSION=${BASE_VERSION}-rc.${RC_NUMBER} >> $GITHUB_ENV
echo PRE_RELEASE=true >> $GITHUB_ENV
else
Expand All @@ -73,7 +89,7 @@ jobs:
echo "Pre Release: ${PRE_RELEASE}"
git config user.name ${{ secrets.BALLERINA_BOT_USERNAME }}
git config user.email ${{ secrets.BALLERINA_BOT_EMAIL }}

# Check if release branch exists in origin
if git ls-remote --heads origin release-${BASE_VERSION} | grep -q release-${BASE_VERSION}; then
echo "Branch release-${BASE_VERSION} exists in origin, checking out..."
Expand Down
38 changes: 38 additions & 0 deletions .github/workflows/trivy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
name: Trivy

on:
workflow_dispatch:
schedule:
- cron: "30 7 * * *"

jobs:
ubuntu-build:
name: Build on Ubuntu
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Set up JDK 21
uses: actions/setup-java@v3
with:
distribution: "temurin"
java-version: 21.0.3

- name: Setup Gradle
uses: gradle/gradle-build-action@v2

- name: Generate SBOM
env:
packageUser: ${{ github.actor }}
packagePAT: ${{ secrets.GITHUB_TOKEN }}
run: ./gradlew cyclonedxBom

- name: Run Trivy vulnerability
uses: aquasecurity/trivy-action@master
with:
scan-type: "sbom"
scan-ref: "build/sbom.json"
format: "table"
timeout: "10m0s"
exit-code: "1"
11 changes: 11 additions & 0 deletions build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ plugins {
id "com.github.johnrengelman.shadow" version "${shadowJarPluginVersion}"
id "de.undercouch.download" version "${downloadPluginVersion}"
id "net.researchgate.release" version "${releasePluginVersion}"
id "org.cyclonedx.bom" version "${cyclonedxBomPluginVersion}"
id "java"
}
apply plugin: 'maven-publish'
Expand Down Expand Up @@ -404,6 +405,16 @@ release {
}
}

// Configure CycloneDX SBOM generation
cyclonedxBom {
includeConfigs = ["externalJarDeps"]
schemaVersion = "1.4"
destination = file("$buildDir")
outputName = "sbom"
outputFormat = "json"
includeBomSerialNumber = true
}

build.dependsOn test
build.doNotTrackState("build needs to run every time")
publishToMavenLocal.dependsOn build
Expand Down
1 change: 1 addition & 0 deletions gradle.properties
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ puppycrawlCheckstyleVersion=10.12.1
releasePluginVersion=2.8.0
shadowJarPluginVersion=8.1.1
spotbugsPluginVersion=6.0.18
cyclonedxBomPluginVersion=1.8.2
testngVersion=7.7.0
graphqlJavaVersion=21.5
sqliteJdbcVersion=3.41.2.2
Expand Down
Loading