-
Notifications
You must be signed in to change notification settings - Fork 6
66 lines (55 loc) · 1.87 KB
/
trivy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
name: Trivy
on:
push:
branches: ["main", "future"]
pull_request:
branches: ["main", "future"]
schedule:
- cron: "19 7 * * 0"
jobs:
base:
name: Analyze
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@main
- name: Build an image from Dockerfile
run: |
docker build -t spacelift:${{ github.sha }} base
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: "spacelift:${{ github.sha }}"
format: "template"
template: "@/contrib/sarif.tpl"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results.sarif"
aws:
name: Analyze
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@main
- name: Build an image from Dockerfile
run: |
docker build --build-arg REPOSITORY_BASE_PATH=${{ secrets.PUBLIC_RUNNER_ANSIBLE_ECR_REPOSITORY_URL }} -t spacelift:${{ github.sha }} aws
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: "spacelift:${{ github.sha }}"
format: "template"
template: "@/contrib/sarif.tpl"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: "trivy-results.sarif"