Skip to content

Commit

Permalink
Update Aqua workflow with trivy-db fix
Browse files Browse the repository at this point in the history
  • Loading branch information
gdraynz committed Oct 10, 2024
1 parent 625d6e5 commit 397c8bc
Showing 1 changed file with 29 additions and 11 deletions.
40 changes: 29 additions & 11 deletions .github/workflows/aqua.yml
Original file line number Diff line number Diff line change
@@ -1,31 +1,49 @@
name: Aqua

on:
pull_request:
branches:
- main
- develop
- master

jobs:
aqua:
name: Aqua scanner
name: Code scanning
runs-on: ubuntu-24.04

permissions:
contents: read
id-token: write

steps:
- name: Checkout code
uses: actions/checkout@v4
with:
show-progress: false

- name: Authenticate to Google Cloud
id: gcloud-auth
uses: google-github-actions/auth@v2
with:
token_format: access_token
workload_identity_provider: projects/699052769907/locations/global/workloadIdentityPools/github-identity-pool-shared/providers/github-identity-provider-shared # yamllint disable-line
service_account: github-gar-sfcc-cartridge@lyrical-carver-335213.iam.gserviceaccount.com

- name: Authenticate to Artifact Registry
uses: docker/login-action@v3
with:
registry: europe-docker.pkg.dev
username: oauth2accesstoken
password: ${{ steps.gcloud-auth.outputs.access_token }}

- name: Run Aqua scanner
uses: docker://aquasec/aqua-scanner
with:
args: trivy fs --sast --reachability --scanners misconfig,vuln,secret .
# To customize which severities add the following flag: --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
# To enable SAST scanning, add: --sast
# To enable reachability scanning, add: --reachability
# To enable npm/dotnet non-lock file scanning, add: --package-json / --dotnet-proj
env:
AQUA_KEY: ${{ secrets.AQUA_KEY }}
AQUA_SECRET: ${{ secrets.AQUA_SECRET }}
GITHUB_TOKEN: ${{ github.token }}
AQUA_URL: https://api.eu-1.supply-chain.cloud.aquasec.com
CSPM_URL: https://eu-1.api.cloudsploit.com
TRIVY_RUN_AS_PLUGIN: "aqua"
# For http/https proxy configuration add env vars: HTTP_PROXY/HTTPS_PROXY, CA-CRET (path to CA certificate)
TRIVY_RUN_AS_PLUGIN: aqua
TRIVY_DB_REPOSITORY: europe-docker.pkg.dev/lyrical-carver-335213/ghcr-remote-cache/aquasecurity/trivy-db:2
with:
args: trivy fs --sast --reachability --scanners misconfig,vuln,secret .

0 comments on commit 397c8bc

Please sign in to comment.