Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add trivy vulnerability check #4

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

feat: add trivy vulnerability check #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
0 .github/workflows/check.yml → .github/workflows/check.change_yml
View file
Open in desktop
File renamed without changes.
76 changes: 76 additions & 0 deletions .github/workflows/trivy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

name: Trivy vulnerability scanner

on:
push:
branches:
- '*'
pull_request:
branches:
- '*'
#schedule:
# - cron: '39 17 * * 3'

permissions:
contents: write
pull-requests: write # allows SonarQube to decorate PRs with analysis results

jobs:
build:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: write # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Build
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

#- name: Build an image from Dockerfile
# run: |
# docker build -t docker.io/my-organization/my-app:${{ github.sha }} .

- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@master
with:
# image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
scan-type: 'fs'
scan-ref: '.'
#exit-code: '0'
#ignore-unfixed: true
format: 'sarif'
#vuln-type: 'os,library'
severity: 'CRITICAL,HIGH,MEDIUM'
#template: '/sarif.tpl'
output: 'trivy-results.sarif'
#skip-dirs: "ignored-dir"
#trivy-config: trivy.yaml

- name: Upload Trivy scan results as artifact
uses: actions/upload-artifact@v2
with:
name: trivy-results
path: trivy-results.sarif

#- name: Upload Trivy scan results to GitHub Security tab
#uses: github/codeql-action/upload-sarif@v2
#with:
#sarif_file: 'trivy-results.sarif'

#- name: DEBUG Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v3
# with:
# sarif_file: 'debug-trivy-results.sarif'

#- name: Create Pull Request
# uses: peter-evans/create-pull-request@v5
# with:
# commit-message: update vulnerability list
# title: Update vulnerability list
# body: Update the vulnerability list
# branch: update-vulnerabilities
Loading
Loading