Skip to content

Commit

Permalink
test: Add Trivy license scan.
Browse files Browse the repository at this point in the history
  • Loading branch information
skyzyx committed Mar 26, 2024
1 parent 5ac2f2c commit 737f0ec
Show file tree
Hide file tree
Showing 2 changed files with 70 additions and 1 deletion.
2 changes: 1 addition & 1 deletion .github/workflows/documentation.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ jobs:
with:
ref: main

- name: Render terraform docs and push changes back to PR
- name: Render Terraform docs and push changes back to PR
uses: terraform-docs/gh-actions@7a62208a0090636af2df1b739da46d27fd90bdc6 # v1.1.0
with:
git-commit-message: "docs: Generate documentation in README.md"
Expand Down
69 changes: 69 additions & 0 deletions .github/workflows/trivy-license.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
---
# This workflow uses actions that are not certified by GitHub. They are provided
# by a third-party and are governed by separate terms of service, privacy
# policy, and support documentation.

name: Trivy License Scan
on:
branch_protection_rule:
schedule:
- cron: 45 8 * * 5
pull_request:
branches:
- main
push:
branches:
- main

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions: read-all

jobs:
analysis:
name: Perform analysis
runs-on: ubuntu-latest
permissions:
security-events: write
id-token: write

steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
ghcr.io:443
github.com:443
objects.githubusercontent.com:443
pkg-containers.githubusercontent.com:443
- name: Checkout code
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
persist-credentials: false

- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # 0.18.0
with:
scan-type: fs
format: sarif
output: results.sarif
trivy-config: trivy-license.yaml
github-pat: ${{ secrets.GITHUB_TOKEN }}

- name: Upload artifact
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: SARIF file
path: results.sarif
retention-days: 5

- name: Upload to code-scanning
uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
with:
sarif_file: results.sarif

0 comments on commit 737f0ec

Please sign in to comment.