Vulnerabilities Checks #537

Workflow file for this run

.github/workflows/vulnerabilities-check.yml at b68dcb7

	name: Vulnerabilities Checks

	on:
	schedule:
	- cron: "0 0 * * *" # Every day
	workflow_dispatch: {}

	env:
	JAVA_VERSION: '21'

	permissions:
	contents: read

	jobs:
	dependency-check:
	name: Dependency Check
	runs-on: ubuntu-latest
	steps:
	# Checkout
	- uses: actions/checkout@v6
	with:
	fetch-depth: 0

	# Setup build
	- uses: kestra-io/actions/composite/setup-build@main
	id: build
	with:
	java-enabled: true
	node-enabled: true

	# Npm
	- name: Npm - Install
	shell: bash
	working-directory: ui
	run: npm ci

	# Run OWASP dependency check plugin
	- name: Gradle Dependency Check
	env:
	NVD_API_KEY: ${{ secrets.NIST_APIKEY }}
	run: \|
	./gradlew dependencyCheckAggregate

	# Upload dependency check report
	- name: Upload dependency check report
	uses: actions/upload-artifact@v5
	if: ${{ always() }}
	with:
	name: dependency-check-report
	path: build/reports/dependency-check-report.html

	develop-image-check:
	name: Image Check (develop)
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write
	actions: read
	steps:
	# Checkout
	- uses: actions/checkout@v6
	with:
	fetch-depth: 0

	# Setup build
	- uses: kestra-io/actions/composite/setup-build@main
	id: build
	with:
	java-enabled: false
	node-enabled: false

	# Run Trivy image scan for Docker vulnerabilities, see https://github.com/aquasecurity/trivy-action
	- name: Docker Vulnerabilities Check
	uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
	with:
	image-ref: kestra/kestra:develop
	format: 'template'
	template: '@/contrib/sarif.tpl'
	severity: 'CRITICAL,HIGH'
	output: 'trivy-results.sarif'
	skip-dirs: /app/plugins

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v4
	with:
	sarif_file: 'trivy-results.sarif'
	category: docker-

	latest-image-check:
	name: Image Check (latest)
	runs-on: ubuntu-latest
	permissions:
	contents: read
	security-events: write
	actions: read
	steps:
	# Checkout
	- uses: actions/checkout@v6
	with:
	fetch-depth: 0

	# Setup build
	- uses: kestra-io/actions/composite/setup-build@main
	id: build
	with:
	java-enabled: false
	node-enabled: false

	# Run Trivy image scan for Docker vulnerabilities, see https://github.com/aquasecurity/trivy-action
	- name: Docker Vulnerabilities Check
	uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
	with:
	image-ref: kestra/kestra:latest
	format: table
	skip-dirs: /app/plugins
	scanners: vuln
	severity: 'CRITICAL,HIGH'
	output: 'trivy-results.sarif'

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v4
	with:
	sarif_file: 'trivy-results.sarif'
	category: docker-

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Vulnerabilities Checks #537

Workflow file

Vulnerabilities Checks #537

Uh oh!

Jobs

Run details

Workflow file for this run