Trivy CI
Update CI pipeline to include trivy vulnerability scan. New pipeline:
- Security Test:
trivy fs --ignore-unfixed --security-checks vuln,config,secret --severity MEDIUM,HIGH,CRITICAL --exit-code 1 - Security Report:
trivy fs --security-checks vuln,config,secret -o report.txt, and save report as artifact - Unit Tests: As existing
- Code style: Split pycodestyle into new job. Also look into a different style checker like black
- Deploy package (Needs: Unit Tests, Security Test): As implemented
This should result in:
- Only pushing to pip if the package is secure
- A comprehensive vulnerability report available as a job artifact
Before this pipeline can be implemented, I need to fix the current known issues:
-
agutil dependencies Update rsa to 4.7 at least
Currently blocking agraubert/Beymax#101
Edited by Aaron Graubert