Trivy vulnerability scanner #63
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Depending on the location of your Docker container | |
# you need to change the path to the specific Docker registry. | |
# | |
name: "Trivy vulnerability scanner" | |
on: | |
workflow_dispatch: # Trigger manually | |
push: | |
branches: main | |
paths-ignore: | |
- '**/*.md' | |
- '**/*.txt' | |
pull_request: | |
branches: main | |
paths-ignore: | |
- '**/*.md' | |
- '**/*.txt' | |
schedule: | |
- cron: '0 0 * * *' # Once a day | |
jobs: | |
analyze-config: | |
runs-on: ubuntu-latest | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v3 | |
- name: Run Trivy vulnerability scanner in repo mode | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: "config" | |
ignore-unfixed: true | |
exit-code: "1" | |
hide-progress: false | |
format: "sarif" | |
output: "trivy-results1.sarif" | |
severity: "CRITICAL,HIGH" | |
# full-irs is a demonstration and not intended to run in a production environment, it can be excluded | |
skip-dirs: "charts/connector/aasregistry,charts/connector/daps,charts/connector/edc-provider,charts/connector/submodelservers,charts/irs-environments/local,local/deployment/full-irs" # skip scanning external images. | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
if: always() | |
with: | |
sarif_file: "trivy-results1.sarif" |