diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml index 56e2915..e52b5d4 100644 --- a/.github/workflows/documentation.yml +++ b/.github/workflows/documentation.yml @@ -40,7 +40,7 @@ jobs: with: ref: main - - name: Render terraform docs and push changes back to PR + - name: Render Terraform docs and push changes back to PR uses: terraform-docs/gh-actions@7a62208a0090636af2df1b739da46d27fd90bdc6 # v1.1.0 with: git-commit-message: "docs: Generate documentation in README.md" diff --git a/.github/workflows/trivy-license.yml b/.github/workflows/trivy-license.yml new file mode 100644 index 0000000..f42a62e --- /dev/null +++ b/.github/workflows/trivy-license.yml @@ -0,0 +1,69 @@ +--- +# This workflow uses actions that are not certified by GitHub. They are provided +# by a third-party and are governed by separate terms of service, privacy +# policy, and support documentation. + +name: Trivy License Scan +on: + branch_protection_rule: + schedule: + - cron: 45 8 * * 5 + pull_request: + branches: + - main + push: + branches: + - main + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: read-all + +jobs: + analysis: + name: Perform analysis + runs-on: ubuntu-latest + permissions: + security-events: write + id-token: write + + steps: + - name: Harden Runner + uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 + with: + disable-sudo: true + egress-policy: block + allowed-endpoints: > + api.github.com:443 + ghcr.io:443 + github.com:443 + objects.githubusercontent.com:443 + pkg-containers.githubusercontent.com:443 + + - name: Checkout code + uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 + with: + persist-credentials: false + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # 0.18.0 + with: + scan-type: fs + format: sarif + output: results.sarif + trivy-config: trivy-license.yaml + github-pat: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload artifact + uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 + with: + name: SARIF file + path: results.sarif + retention-days: 5 + + - name: Upload to code-scanning + uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + with: + sarif_file: results.sarif