ci: scan kyverno-image on each build

Signed-off-by: ShubhamPalriwala <spalriwalau@gmail.com>
2025-03-31 03:45:17 +00:00 · 2021-10-05 11:52:06 +05:30 · 2021-10-05 11:52:06 +05:30 · 92ca609c7c
commit 92ca609c7c
parent af944b9cd5
2 changed files with 20 additions and 0 deletions
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@ -113,6 +113,16 @@ jobs:
        run: |
          make docker-build-kyverno

+      - name: Trivy Scan Image
+        uses: aquasecurity/trivy-action@master
+        with: 
+          image-ref: 'ghcr.io/kyverno/kyverno:latest'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
  build-kyverno-cli:
    runs-on: ubuntu-latest
    needs: pre-checks
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -84,6 +84,16 @@ jobs:
        run: |
          make docker-publish-kyverno

+      - name: Trivy Scan Image
+        uses: aquasecurity/trivy-action@master
+        with: 
+          image-ref: 'ghcr.io/kyverno/kyverno:latest'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
  release-kyverno-cli:
    runs-on: ubuntu-latest
    steps: