From 0247a4f9ca63385cba5247086c8740ea0cabca67 Mon Sep 17 00:00:00 2001 From: Subu <837733+smoneyan@users.noreply.github.com> Date: Sat, 21 Mar 2026 17:18:25 +0800 Subject: [PATCH 1/2] PFMENG-5074 remove aqua security workflow Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/aqua-security.yaml | 174 --------------------------- 1 file changed, 174 deletions(-) delete mode 100644 .github/workflows/aqua-security.yaml diff --git a/.github/workflows/aqua-security.yaml b/.github/workflows/aqua-security.yaml deleted file mode 100644 index 2111aa5..0000000 --- a/.github/workflows/aqua-security.yaml +++ /dev/null @@ -1,174 +0,0 @@ -name: 'Trivy Aqua Security Scan for Docker and ECR Reusable workflow' - -on: - workflow_call: - inputs: - docker_file: - description: Name of the dockerfile - type: string - default: ./Dockerfile - required: false - docker_tag_name: - description: Provide the docker tag names - type: string - default: '' - required: false - docker_file_context: - description: Docker File Context - type: string - default: . - required: false - docker_tag_version: - description: Provide the docker tag names - type: string - default: 'latest' - required: false - docker_build_args: - description: "Multi-Line list of build args with key value" - type: string - required: false - default: '' - ecr_image_name: - description: ECR repo image to scan - type: string - required: false - ecr_tag_version: - description: ECR repo tag version to scan - type: string - required: false - default: 'latest' - aws_account_id: - description: "AWS account ID" - type: string - required: false - default: '' - aws_account_region: - description: "AWS account region" - type: string - required: false - default: '' - aws_iam_role_arn: - description: "AWS ARN IAM Role" - type: string - required: false - default: '' - trivy_format: - description: "Trivy format to log out the scan" - type: string - default: 'table' - required: false - upload_to_codeql: - description: "Upload SARIF to CodeQL" - type: boolean - default: false - required: false - default_runner_override_label: - description: "Change this to 'self-hosted' or 'ubuntu-latest'" - type: string - default: "ubuntu-latest" - required: false - runner_label: - description: "Runner label to point to self hosted runners" - type: string - default: "ubuntu-latest" - required: false - scan_type: - description: "Scan Type to be scanned" - type: string - default: 'docker' - required: false - scan_reference: - description: "Scan reference(e.g. /github/workspace/ or .)" - type: string - default: "." - required: false - skip_directories: - description: "Comma separated list of directories where traversal is skipped" - type: string - default: "" - required: false - secrets: - OAUTH_TOKEN: - description: Github Token for accessing other dependency private repo - required: false - -jobs: - trivy-scan: - runs-on: - - ${{ inputs.default_runner_override_label }} - - ${{ inputs.runner_label }} - permissions: - contents: read - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Set Variable - id: set-vars - run: | - if [ "${{ inputs.docker_tag_name }}" != "" ]; then - echo "file_output=trivy-results-docker.sarif" >> "$GITHUB_OUTPUT" - elif [ "${{ inputs.ecr_image_name }}" != "" ] && [ "${{ inputs.aws_account_id }}" != "" ]; then - echo "file_output=trivy-results-ecr.sarif" >> "$GITHUB_OUTPUT" - else - echo "file_output=trivy-results-fs.sarif" >> "$GITHUB_OUTPUT" - fi - shell: bash - - - name: Configure aws credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - role-skip-session-tagging: true - role-to-assume: ${{ inputs.aws_iam_role_arn }} - role-session-name: gh-actions - aws-region: ${{ inputs.aws_account_region }} - if: ${{ (inputs.docker_tag_name =='') && (inputs.ecr_image_name !='') }} - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: ${{ inputs.aws_account_id }}.dkr.ecr.${{ inputs.aws_account_region }}.amazonaws.com/${{ inputs.ecr_image_name}}:${{ inputs.ecr_tag_version }} - format: ${{ inputs.trivy_format }} - output: ${{ inputs.upload_to_codeql && steps.set-vars.outputs.file_output || '' }} - if: ${{ (inputs.docker_tag_name =='') && (inputs.ecr_image_name !='') && (inputs.aws_account_id != '') }} - - - name: Docker Build and Push - uses: docker/build-push-action@v6 - with: - context: ${{ inputs.docker_file_context }} - file: ${{ inputs.docker_file }} - tags: ${{ inputs.docker_tag_name }}:${{ inputs.docker_tag_version }} - build-args: | - GITHUB_OAUTH_TOKEN=${{ secrets.OAUTH_TOKEN }} - ${{ inputs.docker_build_args }} - push: false - if: ${{ inputs.docker_tag_name !='' }} - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: ${{ inputs.docker_tag_name }}:${{ inputs.docker_tag_version }} - format: ${{ inputs.trivy_format }} - output: ${{ inputs.upload_to_codeql && steps.set-vars.outputs.file_output || '' }} - ignore-unfixed: false - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH,MEDIUM' - if: ${{ inputs.docker_tag_name !='' }} - - - name: Run Trivy vulnerability scanner for Github Repo - uses: aquasecurity/trivy-action@master - with: - scan-type: 'fs' - scan-ref: ${{ inputs.scan_reference }} - ignore-unfixed: false - format: ${{ inputs.trivy_format }} - output: ${{ inputs.upload_to_codeql && steps.set-vars.outputs.file_output || '' }} - severity: 'HIGH,CRITICAL,MEDIUM' - skip-dirs: ${{ inputs.skip_directories }} - if: ${{ inputs.scan_type == 'fs' }} - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: ${{ steps.set-vars.outputs.file_output }} - if: ${{ inputs.upload_to_codeql }} From 42221a846d2cc30f7e855cf65b103ff60ee5c6b4 Mon Sep 17 00:00:00 2001 From: Subu <837733+smoneyan@users.noreply.github.com> Date: Sat, 21 Mar 2026 17:23:05 +0800 Subject: [PATCH 2/2] PFMENG-5074 remove Trivy scans from terraform workflow Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/terraform.yaml | 75 -------------------------------- 1 file changed, 75 deletions(-) diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml index d6b5c2d..e48b99b 100644 --- a/.github/workflows/terraform.yaml +++ b/.github/workflows/terraform.yaml @@ -22,21 +22,6 @@ on: type: boolean default: true required: false - trivy_format: - description: Output format (table, json, sarif, github) - type: string - default: sarif - required: false - trivy_output: - description: Save results to a file - type: string - default: "trivy-results.sarif" - required: false - trivy_inspect_output: - description: Print trivy output for inspection, set to 'true' for debugging purposes - type: string - default: "false" - required: false main_branch: description: Name of the main branch type: string @@ -351,36 +336,6 @@ jobs: fetch-depth: 1 submodules: ${{ inputs.enable_submodules }} - - name: Run Trivy vulnerability scanner in IaC mode - uses: aquasecurity/trivy-action@0.23.0 - with: - scan-type: "config" - hide-progress: false - format: ${{ inputs.trivy_format }} - output: ${{ inputs.trivy_output }} - ignore-unfixed: true - severity: "CRITICAL,HIGH" - - - name: Upload Trivy scan results to Github for inspection - if: ${{ inputs.trivy_inspect_output == 'true' }} - uses: actions/upload-artifact@v4 - with: - path: ${{ inputs.trivy_output }} - retention-days: 1 - - # https://github.com/aquasecurity/trivy/issues/5003 - - name: Remove git from url for sarif uploading - if: ${{ inputs.trivy_format == 'sarif' && inputs.trivy_output != '' }} - shell: bash - run: | - sed -i 's#git::https:/##g' ${{ inputs.trivy_output }} - - - name: Upload Trivy scan results to GitHub Security tab - if: inputs.upload_sarif == true - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: ${{ inputs.trivy_output }} - - name: Get changed files id: changed-files uses: step-security/changed-files@v45 @@ -640,36 +595,6 @@ jobs: fetch-depth: 1 submodules: ${{ inputs.enable_submodules }} - - name: Run Trivy vulnerability scanner in IaC mode - uses: aquasecurity/trivy-action@0.23.0 - with: - scan-type: "config" - hide-progress: false - format: ${{ inputs.trivy_format }} - output: ${{ inputs.trivy_output }} - ignore-unfixed: true - severity: "CRITICAL,HIGH" - - - name: Upload Trivy scan results to Github for inspection - if: ${{ inputs.trivy_inspect_output == 'true' }} - uses: actions/upload-artifact@v4 - with: - path: ${{ inputs.trivy_output }} - retention-days: 1 - - # https://github.com/aquasecurity/trivy/issues/5003 - - name: Remove git from url for sarif uploading - if: ${{ inputs.trivy_format == 'sarif' && inputs.trivy_output != '' }} - shell: bash - run: | - sed -i 's#git::https:/##g' ${{ inputs.trivy_output }} - - - name: Upload Trivy scan results to GitHub Security tab - if: inputs.upload_sarif == true - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: ${{ inputs.trivy_output }} - - name: Get changed files id: changed-files uses: step-security/changed-files@v45