diff --git a/.github/workflows/trivy_scan.yml b/.github/workflows/trivy_scan.yml new file mode 100644 index 000000000..1c9ceb49e --- /dev/null +++ b/.github/workflows/trivy_scan.yml @@ -0,0 +1,76 @@ +name: Trivy Scan (Repo) + +on: + workflow_dispatch: + pull_request: + push: + branches: + - 'main' + - 'release/*' + +concurrency: + group: trivy_scan_${{ github.ref }} + cancel-in-progress: ${{ github.ref != 'refs/heads/main' }} + +jobs: + scan-repo-trivy: + env: + TRIVY_REPORT_PREFIX: trivy-report-concrete + # used by aquasecurity/trivy-action + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 + TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1 + runs-on: ubuntu-latest + steps: + - name: Checkout parent Repo + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + submodules: true + + - name: Export DateTime + run: | + fullnumericdate=$(date +%Y%m%d%H%M%S) + echo "DATE_FULL=$fullnumericdate" >> "$GITHUB_ENV" + + - name: Scan repo (json) + uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 + with: + scan-type: fs + scanners: vuln,secret,misconfig + scan-ref: ./ + format: json + output: ${{ env.TRIVY_REPORT_PREFIX }}-${{ env.DATE_FULL }}.json + + - name: Scan repo (sarif) + uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 + with: + scan-type: fs + scanners: vuln,secret,misconfig + scan-ref: ./ + format: sarif + output: ${{ env.TRIVY_REPORT_PREFIX }}-${{ env.DATE_FULL }}.sarif + + - name: Download Trivy HTML template + run: | + wget -q https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl -P trivy_contrib/ + + - name: Scan repo (html) + uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 + with: + scan-type: fs + scanners: vuln,secret,misconfig + scan-ref: ./ + format: template + template: '@trivy_contrib/html.tpl' + output: ${{ env.TRIVY_REPORT_PREFIX }}-${{ env.DATE_FULL }}.html + + - name: Upload scan results as artifacts + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + with: + name: ${{ env.TRIVY_REPORT_PREFIX }}-all-${{ env.DATE_FULL }} + path: ${{ env.TRIVY_REPORT_PREFIX }}-${{ env.DATE_FULL }}.* + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@86b04fb0e47484f7282357688f21d5d0e32175fe # v3.27.6 + with: + sarif_file: ${{ env.TRIVY_REPORT_PREFIX }}-${{ env.DATE_FULL }}.sarif + category: sca-trivy-repo