[Tool] Trivy Pipeline

Signed-off-by: AndyZiYe <[email protected]>

.github/workflows/.trivy.yaml

@@ -0,0 +1,34 @@
+# Same as '--severity'
+# Default is all severities
+severity:
+ - HIGH
+ - CRITICAL
+
+scan:
+ # Same as '--security-checks'
+ # Default depends on subcommand
+ security-checks:
+ - vuln
+
+vulnerability:
+ # Same as '--vuln-type'
+ # Default is 'os,library'
+ type:
+ - library
+
+# Same as '--format'
+format: sarif
+
+# Same as '--output'
+# Used to upload sarif to GitHub Security tab
+output: trivy-results.sarif
+
+# Same as '--ignore-unfixed'
+ignore-unfixed: false
+
+# Same as '--list-all-pkgs'
+list-all-pkgs: false
+
+# Same as '--exit-code'
+# Zero as we are only reporting for now, not enforcing
+exit-code: 0

.github/workflows/trivy-pipeline.yml

@@ -0,0 +1,29 @@
+name: TRIVY PIPELINE
+
+on:
+ pull_request:
+ types:
+ - opened
+ - synchronize
+
+ branches:
+ - trivy-test
+ - main
+
+concurrency:
+ group: ${{ github.event.number }}
+ cancel-in-progress: true
+
+jobs:
+ trivy-checker:
+ runs-on: [self-hosted, normal]
+ name: RUN
+ steps:
+ - name: Run Trivy vulnerability scanner
+ uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 #0.19.0
+ env:
+ TMPDIR: ${{ github.workspace }}/trivy_temp # Required to prevent Trivy running out of space
+ with:
+ image-ref: "registry.cn-zhangjiakou.aliyuncs.com/starrocks/dev-env-centos7:3.1-latest"
+ scan-type: "image"
+ trivy-config: ".trivy.yaml"