GitHub actions #10
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Vulnerability scan of the repo | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| jobs: | |
| repo-scan: | |
| name: 'Trivy repo scan' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| trivy-config: "trivy-config.yaml" | |
| env: | |
| # env variables seems to be a more reliable way to configure trivy than inputs | |
| TRIVY_FORMAT: table # we cannot use the GitHub-integrated sarif format without GitHub advanced security | |
| TRIVY_OUTPUT: trivy-report.txt | |
| TRIVY_EXIT_CODE: 1 | |
| - shell: bash | |
| if: always() | |
| # Print result so that one doesn't need to download zip files to see the result | |
| run: | | |
| cat trivy-report.txt | |
| echo "Trivy report:" >> $GITHUB_STEP_SUMMARY | |
| echo '~~~' >> $GITHUB_STEP_SUMMARY | |
| cat trivy-report.txt >> $GITHUB_STEP_SUMMARY | |
| echo '~~~' >> $GITHUB_STEP_SUMMARY | |
| if echo "$REPORT_WITHOUT_TABLES" | grep -E '(HIGH|CRITICAL): [1-9]' > /dev/null; then | |
| echo "::error::Found HIGH or CRITICAL vulnerabilities" | |
| fi | |
| - name: Upload report artifact | |
| uses: actions/upload-artifact@v3 | |
| if: always() | |
| with: | |
| name: trivy-report.txt | |
| path: trivy-report.txt | |