Skip to content

Commit fd5590f

Browse files
authored
Merge pull request #2783 from tawoe/bugfix/trivy
fix trivy
2 parents 086793a + c914cf3 commit fd5590f

1 file changed

Lines changed: 11 additions & 6 deletions

File tree

.github/workflows/run_trivy.yml

Lines changed: 11 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,15 @@
11
name: scan container image
22

33
on:
4+
workflow_dispatch:
5+
inputs:
6+
image_sha:
7+
description: 'Commit SHA of the image to scan (defaults to current HEAD)'
8+
required: false
9+
default: ''
410
workflow_run:
511
workflows:
612
- Build and publish container develop
7-
- Build and publish container non develop
813
types:
914
- completed
1015
env:
@@ -15,7 +20,7 @@ env:
1520
jobs:
1621
build:
1722
runs-on: ubuntu-latest
18-
if: github.repository == 'OpenBankProject/OBP-API' && github.event.workflow_run.conclusion == 'success'
23+
if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
1924

2025
steps:
2126
- uses: actions/checkout@v4
@@ -29,19 +34,19 @@ jobs:
2934
jqFilter='.[] | select(.metadata.container.tags[] | contains("latest")) | .name | sub("sha256:";"")'
3035
sha=$(gh api -H "${headers}" "${endpoint}" | jq --raw-output "${jqFilter}")
3136
echo "Trivy DB sha256:${sha}"
32-
echo "::set-output name=sha::${sha}"
37+
echo "sha=${sha}" >> $GITHUB_OUTPUT
3338
- uses: actions/cache@v4
3439
with:
3540
path: .trivy
3641
key: ${{ runner.os }}-trivy-db-${{ steps.trivy-db.outputs.sha }}
3742
- name: Run Trivy vulnerability scanner
38-
uses: aquasecurity/trivy-action@master
43+
uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25
3944
with:
40-
image-ref: "docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${{ github.sha }}"
45+
image-ref: "docker.io/${{ env.DOCKER_HUB_ORGANIZATION }}/${{ env.DOCKER_HUB_REPOSITORY }}:${{ github.event_name == 'workflow_dispatch' && (inputs.image_sha || github.sha) || github.event.workflow_run.head_sha }}"
4146
format: "template"
4247
template: "@/contrib/sarif.tpl"
4348
output: "trivy-results.sarif"
44-
security-checks: "vuln"
49+
scanners: "vuln"
4550
severity: "CRITICAL,HIGH"
4651
timeout: "30m"
4752
cache-dir: .trivy

0 commit comments

Comments
 (0)