diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index f8628cd..803c2e3 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -146,6 +146,8 @@ jobs: - name: Scan image for vulnerabilities (Trivy) uses: aquasecurity/trivy-action@0.30.0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest-amd64 format: sarif @@ -155,7 +157,7 @@ jobs: exit-code: '0' - name: Upload Trivy SARIF to Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 if: always() with: sarif_file: trivy-release.sarif @@ -165,6 +167,8 @@ jobs: # from the SARIF step above (trivy-action exports env vars that persist # across steps; a second trivy-action invocation cannot fully override them). - name: Fail release on CRITICAL vulnerabilities + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db run: | trivy image \ --format table \ @@ -489,6 +493,8 @@ jobs: # CRITICAL findings fail the PR check; HIGH are informational only. - name: Scan PR image for vulnerabilities (Trivy) uses: aquasecurity/trivy-action@0.30.0 + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db with: image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:pr-${{ github.event.pull_request.number }}-amd64 format: sarif @@ -498,7 +504,7 @@ jobs: exit-code: '0' - name: Upload Trivy SARIF to Security tab - uses: github/codeql-action/upload-sarif@v3 + uses: github/codeql-action/upload-sarif@v4 if: always() with: sarif_file: trivy-pr.sarif @@ -508,6 +514,8 @@ jobs: # from the SARIF step above (trivy-action exports env vars that persist # across steps; a second trivy-action invocation cannot fully override them). - name: Fail PR on CRITICAL vulnerabilities + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db run: | trivy image \ --format table \