-
Notifications
You must be signed in to change notification settings - Fork 5
94 lines (82 loc) · 2.92 KB
/
trivy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# A workflow that runs Trivy to scan the action Docker image
name: Trivy workflow
on:
pull_request:
branches: [ "main" ]
schedule:
- cron: '43 12 * * 0'
workflow_dispatch:
env:
BRANCH_NAME: ${{ github.ref_name }}
permissions:
contents: read
jobs:
trivy:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Build
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
with:
disable-sudo: false
egress-policy: block
disable-telemetry: false
allowed-endpoints: >
api.github.com:443
auth.docker.io:443
deb.debian.org:80
docker.io:443
ghcr.io:443
github.com:443
pkg-containers.githubusercontent.com:443
production.cloudflare.docker.com:443
registry-1.docker.io:443
registry.npmjs.org:443
y2oiacprodeus2file6.blob.core.windows.net
# Cache directory for trivy
- uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: .trivy
key: ${{ runner.os }}-trivy-${{ github.run_id }}
restore-keys: |
${{ runner.os }}-trivy-
- name: Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Build an image from Dockerfile
run: |
docker build -t trivy-scan-image .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 # 0.20.0
with:
scan-type: image
image-ref: "trivy-scan-image"
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
cache-dir: .trivy
exit-code: "1" # change to 1, if you want the build to break
ignore-unfixed: true
vuln-type: 'os,library'
# https://github.com/aquasecurity/trivy-action/issues/12 for an explanation
- name: Correct Trivy cache permissions
# shellcheck disable=all
if: always()
continue-on-error: true
run: |
sudo chown -R "$USER":"$GROUP" .trivy
echo $?
- name: Upload Trivy scan results to GitHub Security tab
if: always()
uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
with:
sarif_file: 'trivy-results.sarif'
- name: Upload Trivy report as attachment
if: always()
uses: actions/upload-artifact@v4
with:
name: trivy results SARIF
path: 'trivy-results.sarif'