From decc35440c3f9678a1bc8d2b825f20b464ce98bc Mon Sep 17 00:00:00 2001 From: Nishan Date: Fri, 8 May 2026 16:47:45 +0530 Subject: [PATCH 1/6] Add Trivy vulnerability scanning workflow --- .github/workflows/vulnerabilities.yml | 74 +++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 .github/workflows/vulnerabilities.yml diff --git a/.github/workflows/vulnerabilities.yml b/.github/workflows/vulnerabilities.yml new file mode 100644 index 0000000..7079222 --- /dev/null +++ b/.github/workflows/vulnerabilities.yml @@ -0,0 +1,74 @@ +name: Check vulnerabilities + +on: + push: + branches: + - main + - master + pull_request: + release: + types: [published] + +jobs: + trivy-scan: + name: Trivy Security Scan + runs-on: ubuntu-24.04 + + permissions: + contents: read + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # ========================= + # Filesystem Scan + # ========================= + - name: Run Trivy filesystem scan + uses: aquasecurity/trivy-action@0.35.0 + with: + scan-type: fs + scan-ref: . + format: table + exit-code: 1 + ignore-unfixed: true + severity: CRITICAL,HIGH + + # ========================= + # Build Docker Image + # ========================= + - name: Build Docker image + run: docker build -t nuxt-client:latest . + + # ========================= + # Docker Image Scan + # ========================= + - name: Run Trivy image scan + uses: aquasecurity/trivy-action@0.35.0 + with: + image-ref: nuxt-client:latest + format: table + exit-code: 1 + ignore-unfixed: true + vuln-type: os,library + severity: CRITICAL,HIGH + + # ========================= + # Generate SARIF Report + # ========================= + - name: Run Trivy SARIF scan + uses: aquasecurity/trivy-action@0.35.0 + with: + scan-type: fs + scan-ref: . + format: sarif + output: trivy-results.sarif + + # ========================= + # Upload SARIF to GitHub + # ========================= + - name: Upload Trivy scan results + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: trivy-results.sarif \ No newline at end of file From 198903765b7c692b6a9efe0a07d455a619816e2b Mon Sep 17 00:00:00 2001 From: Nishan Date: Fri, 8 May 2026 17:01:29 +0530 Subject: [PATCH 2/6] Added zooproject-ui branch for testing --- .github/workflows/vulnerabilities.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/vulnerabilities.yml b/.github/workflows/vulnerabilities.yml index 7079222..d312589 100644 --- a/.github/workflows/vulnerabilities.yml +++ b/.github/workflows/vulnerabilities.yml @@ -4,7 +4,8 @@ on: push: branches: - main - - master + - develop + - zooproject-ui pull_request: release: types: [published] From b1be81773a269f22341ffed2cfee96bbae05e4b1 Mon Sep 17 00:00:00 2001 From: Nishan Date: Fri, 8 May 2026 17:07:37 +0530 Subject: [PATCH 3/6] Fix Dockerfile path in Trivy workflow --- .github/workflows/vulnerabilities.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/vulnerabilities.yml b/.github/workflows/vulnerabilities.yml index d312589..16411f8 100644 --- a/.github/workflows/vulnerabilities.yml +++ b/.github/workflows/vulnerabilities.yml @@ -40,7 +40,7 @@ jobs: # Build Docker Image # ========================= - name: Build Docker image - run: docker build -t nuxt-client:latest . + run: docker build -f Dockerfile.nuxt -t nuxt-client:latest . # ========================= # Docker Image Scan From 46d40b02697b95142db174b2aebbbe8383a38d90 Mon Sep 17 00:00:00 2001 From: Nishan Date: Tue, 12 May 2026 11:02:36 +0530 Subject: [PATCH 4/6] Updated --- .github/workflows/vulnerabilities.yml | 38 +++++---------------------- 1 file changed, 6 insertions(+), 32 deletions(-) diff --git a/.github/workflows/vulnerabilities.yml b/.github/workflows/vulnerabilities.yml index 16411f8..1b6722b 100644 --- a/.github/workflows/vulnerabilities.yml +++ b/.github/workflows/vulnerabilities.yml @@ -11,8 +11,7 @@ on: types: [published] jobs: - trivy-scan: - name: Trivy Security Scan + vulnerabilities: runs-on: ubuntu-24.04 permissions: @@ -23,53 +22,28 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - # ========================= - # Filesystem Scan - # ========================= + - name: Run Trivy filesystem scan uses: aquasecurity/trivy-action@0.35.0 with: scan-type: fs scan-ref: . format: table - exit-code: 1 + exit-code: 0 ignore-unfixed: true severity: CRITICAL,HIGH - # ========================= - # Build Docker Image - # ========================= + - name: Build Docker image run: docker build -f Dockerfile.nuxt -t nuxt-client:latest . - # ========================= - # Docker Image Scan - # ========================= + - name: Run Trivy image scan uses: aquasecurity/trivy-action@0.35.0 with: image-ref: nuxt-client:latest format: table - exit-code: 1 + exit-code: 0 ignore-unfixed: true vuln-type: os,library severity: CRITICAL,HIGH - - # ========================= - # Generate SARIF Report - # ========================= - - name: Run Trivy SARIF scan - uses: aquasecurity/trivy-action@0.35.0 - with: - scan-type: fs - scan-ref: . - format: sarif - output: trivy-results.sarif - - # ========================= - # Upload SARIF to GitHub - # ========================= - - name: Upload Trivy scan results - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: trivy-results.sarif \ No newline at end of file From a96a562c6d756507ecd056550715e1d8027301f9 Mon Sep 17 00:00:00 2001 From: Nishan Date: Tue, 12 May 2026 13:22:25 +0530 Subject: [PATCH 5/6] Included SARIF --- .github/workflows/vulnerabilities.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.github/workflows/vulnerabilities.yml b/.github/workflows/vulnerabilities.yml index 1b6722b..abf84af 100644 --- a/.github/workflows/vulnerabilities.yml +++ b/.github/workflows/vulnerabilities.yml @@ -47,3 +47,20 @@ jobs: ignore-unfixed: true vuln-type: os,library severity: CRITICAL,HIGH + + + # Generate SARIF Report + - name: Run Trivy SARIF scan + uses: aquasecurity/trivy-action@0.35.0 + with: + scan-type: fs + scan-ref: . + format: sarif + output: trivy-results.sarif + + + # Upload SARIF to GitHub + - name: Upload Trivy scan results + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: trivy-results.sarif \ No newline at end of file From 1fda8499c2d97d6b4d1c743f4adf4c55a4d28afe Mon Sep 17 00:00:00 2001 From: Muhammed Nishan Date: Tue, 12 May 2026 13:25:06 +0530 Subject: [PATCH 6/6] Modify branch triggers in vulnerabilities.yml Removed 'zooproject-ui' branch from push triggers in vulnerabilities.yml. --- .github/workflows/vulnerabilities.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/vulnerabilities.yml b/.github/workflows/vulnerabilities.yml index abf84af..56f29f0 100644 --- a/.github/workflows/vulnerabilities.yml +++ b/.github/workflows/vulnerabilities.yml @@ -5,7 +5,6 @@ on: branches: - main - develop - - zooproject-ui pull_request: release: types: [published] @@ -63,4 +62,4 @@ jobs: - name: Upload Trivy scan results uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: trivy-results.sarif \ No newline at end of file + sarif_file: trivy-results.sarif