Skip to content

Commit ef84d77

Browse files
Merge pull request #28 from AnchorFree/bump-and-pin-trivy
bump and pin trivy-action to commit hash
1 parent ec10e78 commit ef84d77

1 file changed

Lines changed: 95 additions & 95 deletions

File tree

.github/workflows/trivy.yml

Lines changed: 95 additions & 95 deletions
Original file line numberDiff line numberDiff line change
@@ -1,96 +1,96 @@
11
# Workflow managed by https://github.com/AnchorFree/workflows/
2-
name: Trivy scan
3-
4-
on:
5-
push:
6-
branches: [ "master" ]
7-
pull_request:
8-
types: [opened, reopened, synchronize]
9-
schedule:
10-
# 00:00 every 14 days
11-
- cron: 0 0 */14 * *
12-
13-
permissions:
14-
contents: read
15-
16-
jobs:
17-
trivy-repo-scan:
18-
permissions:
19-
contents: read
20-
security-events: write
21-
actions: read
22-
name: Trivy repo scan
23-
runs-on: ubuntu-latest
24-
env:
25-
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
26-
TRIVY_JAVA_DB_REPOSTITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
27-
steps:
28-
- name: Checkout code
29-
uses: actions/checkout@v4
30-
with:
31-
lfs: true
32-
submodules: recursive
33-
34-
- name: Checkout LFS objects
35-
run: git lfs checkout
36-
37-
- name: Run Trivy vulnerability scanner in repo mode (table)
38-
uses: aquasecurity/trivy-action@0.24.0
39-
with:
40-
scan-type: 'fs'
41-
ignore-unfixed: true
42-
format: 'table'
43-
44-
- name: Run Trivy vulnerability scanner in repo mode (sarif)
45-
uses: aquasecurity/trivy-action@0.24.0
46-
with:
47-
scan-type: 'fs'
48-
ignore-unfixed: true
49-
format: 'sarif'
50-
output: 'trivy-results.sarif'
51-
52-
- name: Upload Trivy scan results to GitHub Security tab
53-
uses: github/codeql-action/upload-sarif@v3
54-
with:
55-
sarif_file: 'trivy-results.sarif'
56-
57-
trivy-image-scan:
58-
permissions:
59-
contents: read
60-
security-events: write
61-
actions: read
62-
name: Trivy image scan
63-
runs-on: ubuntu-latest
64-
steps:
65-
- name: Checkout code
66-
uses: actions/checkout@v4
67-
with:
68-
lfs: true
69-
submodules: recursive
70-
71-
- name: Checkout LFS objects
72-
run: git lfs checkout
73-
74-
- name: Build an image from Dockerfile
75-
run: |
76-
docker build -t ${{ github.sha }} .
77-
78-
- name: Run Trivy vulnerability scanner in image mode (table output)
79-
uses: aquasecurity/trivy-action@0.24.0
80-
with:
81-
image-ref: '${{ github.sha }}'
82-
ignore-unfixed: true
83-
format: 'table'
84-
85-
- name: Run Trivy vulnerability scanner in image mode (sarif output)
86-
uses: aquasecurity/trivy-action@0.24.0
87-
with:
88-
image-ref: '${{ github.sha }}'
89-
ignore-unfixed: true
90-
format: 'sarif'
91-
output: 'trivy-results.sarif'
92-
93-
- name: Upload Trivy scan results to GitHub Security tab
94-
uses: github/codeql-action/upload-sarif@v3
95-
with:
96-
sarif_file: 'trivy-results.sarif'
2+
name: Trivy scan
3+
4+
on:
5+
push:
6+
branches: [ "master" ]
7+
pull_request:
8+
types: [opened, reopened, synchronize]
9+
schedule:
10+
# 00:00 every 14 days
11+
- cron: 0 0 */14 * *
12+
13+
permissions:
14+
contents: read
15+
16+
jobs:
17+
trivy-repo-scan:
18+
permissions:
19+
contents: read
20+
security-events: write
21+
actions: read
22+
name: Trivy repo scan
23+
runs-on: ubuntu-latest
24+
env:
25+
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
26+
TRIVY_JAVA_DB_REPOSTITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
27+
steps:
28+
- name: Checkout code
29+
uses: actions/checkout@v6
30+
with:
31+
lfs: true
32+
submodules: recursive
33+
34+
- name: Checkout LFS objects
35+
run: git lfs checkout
36+
37+
- name: Run Trivy vulnerability scanner in repo mode (table)
38+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
39+
with:
40+
scan-type: 'fs'
41+
ignore-unfixed: true
42+
format: 'table'
43+
44+
- name: Run Trivy vulnerability scanner in repo mode (sarif)
45+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
46+
with:
47+
scan-type: 'fs'
48+
ignore-unfixed: true
49+
format: 'sarif'
50+
output: 'trivy-results.sarif'
51+
52+
- name: Upload Trivy scan results to GitHub Security tab
53+
uses: github/codeql-action/upload-sarif@v4
54+
with:
55+
sarif_file: 'trivy-results.sarif'
56+
57+
trivy-image-scan:
58+
permissions:
59+
contents: read
60+
security-events: write
61+
actions: read
62+
name: Trivy image scan
63+
runs-on: ubuntu-latest
64+
steps:
65+
- name: Checkout code
66+
uses: actions/checkout@v6
67+
with:
68+
lfs: true
69+
submodules: recursive
70+
71+
- name: Checkout LFS objects
72+
run: git lfs checkout
73+
74+
- name: Build an image from Dockerfile
75+
run: |
76+
docker build -t ${{ github.sha }} .
77+
78+
- name: Run Trivy vulnerability scanner in image mode (table output)
79+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
80+
with:
81+
image-ref: '${{ github.sha }}'
82+
ignore-unfixed: true
83+
format: 'table'
84+
85+
- name: Run Trivy vulnerability scanner in image mode (sarif output)
86+
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
87+
with:
88+
image-ref: '${{ github.sha }}'
89+
ignore-unfixed: true
90+
format: 'sarif'
91+
output: 'trivy-results.sarif'
92+
93+
- name: Upload Trivy scan results to GitHub Security tab
94+
uses: github/codeql-action/upload-sarif@v4
95+
with:
96+
sarif_file: 'trivy-results.sarif'

0 commit comments

Comments
 (0)