fix: scan docker image on CVEs in CI (#1170)

ikheifets-splunk · web-flow · commit 751763d5d0fd · 2025-05-08T12:58:18.000+02:00
Signed-off-by: Ilya Kheifets &lt;ikheifets@splunk.com&gt;
diff --git a/.github/workflows/ci-main.yaml b/.github/workflows/ci-main.yaml
@@ -72,6 +72,30 @@ jobs:
         with:
           python-version: "3.10"
       - uses: pre-commit/action@v3.0.1
+
+  trivy-scan:
+    runs-on: ubuntu-latest
+    name: "Run trivy scanner to detect CVEs in docker image"
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build Docker image
+        run: |
+          docker build -t snmp_local:ci .
+
+      - name: Scan image with Trivy
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: snmp_local:ci
+          format: table
+          exit-code: 1
+          severity: 'CRITICAL,HIGH,MEDIUM,LOW'
+
   test-unit:
     name: Test Unit Python ${{ matrix.python-version }}
     runs-on: ubuntu-latest
diff --git a/Dockerfile b/Dockerfile
@@ -3,7 +3,8 @@ FROM python:3.10-alpine AS base
 ENV PYTHONFAULTHANDLER=1 \
     PYTHONHASHSEED=random \
     PYTHONUNBUFFERED=1
-RUN apk add -U git
+RUN apk add -U git sqlite-dev
+RUN pip install --upgrade setuptools pip
 RUN mkdir /app
 WORKDIR /app
 
