diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 38abfd4..a0b9a85 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -1,96 +1,96 @@ # Workflow managed by https://github.com/AnchorFree/workflows/ -name: Trivy scan - -on: - push: - branches: [ "master" ] - pull_request: - types: [opened, reopened, synchronize] - schedule: - # 00:00 every 14 days - - cron: 0 0 */14 * * - -permissions: - contents: read - -jobs: - trivy-repo-scan: - permissions: - contents: read - security-events: write - actions: read - name: Trivy repo scan - runs-on: ubuntu-latest - env: - TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 - TRIVY_JAVA_DB_REPOSTITORY: public.ecr.aws/aquasecurity/trivy-java-db:1 - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - lfs: true - submodules: recursive - - - name: Checkout LFS objects - run: git lfs checkout - - - name: Run Trivy vulnerability scanner in repo mode (table) - uses: aquasecurity/trivy-action@0.24.0 - with: - scan-type: 'fs' - ignore-unfixed: true - format: 'table' - - - name: Run Trivy vulnerability scanner in repo mode (sarif) - uses: aquasecurity/trivy-action@0.24.0 - with: - scan-type: 'fs' - ignore-unfixed: true - format: 'sarif' - output: 'trivy-results.sarif' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-results.sarif' - - trivy-image-scan: - permissions: - contents: read - security-events: write - actions: read - name: Trivy image scan - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - lfs: true - submodules: recursive - - - name: Checkout LFS objects - run: git lfs checkout - - - name: Build an image from Dockerfile - run: | - docker build -t ${{ github.sha }} . - - - name: Run Trivy vulnerability scanner in image mode (table output) - uses: aquasecurity/trivy-action@0.24.0 - with: - image-ref: '${{ github.sha }}' - ignore-unfixed: true - format: 'table' - - - name: Run Trivy vulnerability scanner in image mode (sarif output) - uses: aquasecurity/trivy-action@0.24.0 - with: - image-ref: '${{ github.sha }}' - ignore-unfixed: true - format: 'sarif' - output: 'trivy-results.sarif' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: 'trivy-results.sarif' +name: Trivy scan + +on: + push: + branches: [ "master" ] + pull_request: + types: [opened, reopened, synchronize] + schedule: + # 00:00 every 14 days + - cron: 0 0 */14 * * + +permissions: + contents: read + +jobs: + trivy-repo-scan: + permissions: + contents: read + security-events: write + actions: read + name: Trivy repo scan + runs-on: ubuntu-latest + env: + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 + TRIVY_JAVA_DB_REPOSTITORY: public.ecr.aws/aquasecurity/trivy-java-db:1 + steps: + - name: Checkout code + uses: actions/checkout@v6 + with: + lfs: true + submodules: recursive + + - name: Checkout LFS objects + run: git lfs checkout + + - name: Run Trivy vulnerability scanner in repo mode (table) + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'table' + + - name: Run Trivy vulnerability scanner in repo mode (sarif) + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v4 + with: + sarif_file: 'trivy-results.sarif' + + trivy-image-scan: + permissions: + contents: read + security-events: write + actions: read + name: Trivy image scan + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v6 + with: + lfs: true + submodules: recursive + + - name: Checkout LFS objects + run: git lfs checkout + + - name: Build an image from Dockerfile + run: | + docker build -t ${{ github.sha }} . + + - name: Run Trivy vulnerability scanner in image mode (table output) + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + with: + image-ref: '${{ github.sha }}' + ignore-unfixed: true + format: 'table' + + - name: Run Trivy vulnerability scanner in image mode (sarif output) + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + with: + image-ref: '${{ github.sha }}' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v4 + with: + sarif_file: 'trivy-results.sarif'