11name : scan container image
22
33on :
4+ workflow_dispatch :
5+ inputs :
6+ image_sha :
7+ description : ' Commit SHA of the image to scan (defaults to current HEAD)'
8+ required : false
9+ default : ' '
410 workflow_run :
511 workflows :
612 - Build and publish container develop
7- - Build and publish container non develop
813 types :
914 - completed
1015env :
1520jobs :
1621 build :
1722 runs-on : ubuntu-latest
18- if : github.repository == 'OpenBankProject/OBP-API' && github.event.workflow_run.conclusion == 'success'
23+ if : ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
1924
2025 steps :
2126 - uses : actions/checkout@v4
@@ -29,19 +34,19 @@ jobs:
2934 jqFilter='.[] | select(.metadata.container.tags[] | contains("latest")) | .name | sub("sha256:";"")'
3035 sha=$(gh api -H "${headers}" "${endpoint}" | jq --raw-output "${jqFilter}")
3136 echo "Trivy DB sha256:${sha}"
32- echo "::set-output name= sha:: ${sha}"
37+ echo "sha= ${sha}" >> $GITHUB_OUTPUT
3338 - uses : actions/cache@v4
3439 with :
3540 path : .trivy
3641 key : ${{ runner.os }}-trivy-db-${{ steps.trivy-db.outputs.sha }}
3742 - name : Run Trivy vulnerability scanner
38- uses : aquasecurity/trivy-action@master
43+ uses : aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25
3944 with :
40- image-ref : " docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${{ github.sha }}"
45+ image-ref : " docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${{ github.event_name == 'workflow_dispatch' && (inputs.image_sha || github. sha) || github.event.workflow_run.head_sha }}"
4146 format : " template"
4247 template : " @/contrib/sarif.tpl"
4348 output : " trivy-results.sarif"
44- security-checks : " vuln"
49+ scanners : " vuln"
4550 severity : " CRITICAL,HIGH"
4651 timeout : " 30m"
4752 cache-dir : .trivy
0 commit comments