Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 10 additions & 2 deletions .github/workflows/docker-publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,8 @@ jobs:

- name: Scan image for vulnerabilities (Trivy)
uses: aquasecurity/trivy-action@0.30.0
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest-amd64
format: sarif
Expand All @@ -155,7 +157,7 @@ jobs:
exit-code: '0'

- name: Upload Trivy SARIF to Security tab
uses: github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: trivy-release.sarif
Expand All @@ -165,6 +167,8 @@ jobs:
# from the SARIF step above (trivy-action exports env vars that persist
# across steps; a second trivy-action invocation cannot fully override them).
- name: Fail release on CRITICAL vulnerabilities
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
run: |
trivy image \
--format table \
Expand Down Expand Up @@ -489,6 +493,8 @@ jobs:
# CRITICAL findings fail the PR check; HIGH are informational only.
- name: Scan PR image for vulnerabilities (Trivy)
uses: aquasecurity/trivy-action@0.30.0
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:pr-${{ github.event.pull_request.number }}-amd64
format: sarif
Expand All @@ -498,7 +504,7 @@ jobs:
exit-code: '0'

- name: Upload Trivy SARIF to Security tab
uses: github/codeql-action/upload-sarif@v3
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: trivy-pr.sarif
Expand All @@ -508,6 +514,8 @@ jobs:
# from the SARIF step above (trivy-action exports env vars that persist
# across steps; a second trivy-action invocation cannot fully override them).
- name: Fail PR on CRITICAL vulnerabilities
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
run: |
trivy image \
--format table \
Expand Down
Loading