UPDATED pipeline workflow to include trivy scanning in PRs of this project

davidjeddy · davidjeddy · commit 47a387109658 · 2026-03-10T15:10:36.000+01:00
diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
@@ -0,0 +1,118 @@
+name: Build, scan, and test container image
+
+on: [pull_request]
+
+env:
+  REGISTRY: docker.io
+  IMAGE_NAME: appwrite/base
+  TAG: ${{ github.event.release.tag_name }}
+
+jobs:
+  build:
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      pull-requests: write
+    steps:
+
+    - name: Check out code 
+      uses: actions/checkout@v4
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
+        fetch-depth: 0
+
+    - name: Build an image from Dockerfile
+      run: |
+        docker build -t appwrite/docker-base:${{ github.sha }} .
+
+  scan:
+    runs-on: ubuntu-24.04
+    steps:
+    - name: Run Trivy vulnerability scanner on image
+      uses: aquasecurity/trivy-action@0.35.0
+      with:
+          image-ref: 'appwrite/docker-base:${{ github.sha }}'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+
+    - name: Run Trivy vulnerability scanner on source code
+      uses: aquasecurity/trivy-action@0.35.0
+      with:
+        scan-type: 'fs'
+        scan-ref: '.'
+        format: 'json'
+        output: 'trivy-fs-results.json'
+        severity: 'CRITICAL,HIGH'
+
+    - name: Process Trivy scan results
+      id: process-results
+      uses: actions/github-script@v7
+      with:
+        script: |
+          const fs = require('fs');
+          let commentBody = '## Security Scan Results for PR\n\n';
+          function processResults(results, title) {
+            let sectionBody = `### ${title}\n\n`;
+            if (results.Results && results.Results.some(result => result.Vulnerabilities && result.Vulnerabilities.length > 0)) {
+              sectionBody += '| Package | Version | Vulnerability | Severity |\n';
+              sectionBody += '|---------|---------|----------------|----------|\n';
+              const uniqueVulns = new Set();
+              results.Results.forEach(result => {
+                if (result.Vulnerabilities) {
+                  result.Vulnerabilities.forEach(vuln => {
+                    const vulnKey = `${vuln.PkgName}-${vuln.InstalledVersion}-${vuln.VulnerabilityID}`;
+                    if (!uniqueVulns.has(vulnKey)) {
+                      uniqueVulns.add(vulnKey);
+                      sectionBody += `| ${vuln.PkgName} | ${vuln.InstalledVersion} | [${vuln.VulnerabilityID}](https://nvd.nist.gov/vuln/detail/${vuln.VulnerabilityID}) | ${vuln.Severity} |\n`;
+                    }
+                  });
+                }
+              });
+            } else {
+              sectionBody += '🎉 No vulnerabilities found!\n';
+            }
+            return sectionBody;
+          }
+          try {
+            const imageResults = JSON.parse(fs.readFileSync('trivy-image-results.json', 'utf8'));
+            const fsResults = JSON.parse(fs.readFileSync('trivy-fs-results.json', 'utf8'));
+            commentBody += processResults(imageResults, "Docker Image Scan Results");
+            commentBody += '\n';
+            commentBody += processResults(fsResults, "Source Code Scan Results");
+          } catch (error) {
+            commentBody += `There was an error while running the security scan: ${error.message}\n`;
+            commentBody += 'Please contact the core team for assistance.';
+          }
+          core.setOutput('comment-body', commentBody);
+
+    - name: Find Comment
+      uses: peter-evans/find-comment@v3
+      id: fc
+      with:
+        issue-number: ${{ github.event.pull_request.number }}
+        comment-author: 'github-actions[bot]'
+        body-includes: Security Scan Results for PR
+
+    - name: Create or update comment
+      uses: peter-evans/create-or-update-comment@v3
+      with:
+        issue-number: ${{ github.event.pull_request.number }}
+        comment-id: ${{ steps.fc.outputs.comment-id }}
+        body: ${{ steps.process-results.outputs.comment-body }}
+        edit-mode: replace
+
+  test:
+    runs-on: ubuntu-24.04
+    steps:
+    - name: Setup container structure test
+      run: |
+        curl -LO https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64
+        chmod +x container-structure-test-linux-amd64
+        sudo mv container-structure-test-linux-amd64 /usr/local/bin/container-structure-test
+
+    - name: Run container structure test
+      run: |
+        docker build -t appwrite-base-test .
+        container-structure-test test --image appwrite-base-test --config tests.yaml
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,4 @@
 .idea
 *.logs
 NOTES*.md
-trivy-image-results.json
+trivy-*-results.json
diff --git a/README.md b/README.md
@@ -45,13 +45,13 @@ docker buildx build --tag appwrite/base:latest .
 Multi-arch building.
 
 ```shell
-docker buildx build --platform linux/amd64,linux/arm64/v8,linux/ppc64le --tag appwrite/base:latest .
+docker buildx build --platform linux/amd64,linux/arm64/v8,linux/ppc64le --push --tag appwrite/base:latest .
 ```
 
 ## Scan
 
 ```shell
-trivy image appwrite/base:latest
+trivy image --format json --pkg-types  os,library --severity  CRITICAL,HIGH --output trivy-image-results.json appwrite/base:latest
 ```
 
 ## Test
