forked from RaminNietzsche/CVE-Radar
-
Notifications
You must be signed in to change notification settings - Fork 0
99 lines (88 loc) · 3 KB
/
Copy pathsecurity-container-trivy.yml
File metadata and controls
99 lines (88 loc) · 3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# Category: Security | Trivy container scan — build image, fail on HIGH/CRITICAL.
# Docs-only PRs: touch this file (or Dockerfile) so the required Trivy check runs on pull_request.
# Asset paths: extended-docs/hooks/asset_paths.py rewrites icon src at build time.
name: Security / Container scan
on:
pull_request:
branches: [main]
paths: &trivy-paths
- "Dockerfile"
- ".trivyignore"
- "docker-compose*.yml"
- "docker-compose*.yaml"
- ".dockerignore"
- "package.json"
- "package-lock.json"
- ".npmrc"
- "server/**"
- ".github/workflows/security-container-trivy.yml"
- ".github/workflows/security/**"
push:
branches: [main]
paths: *trivy-paths
schedule:
- cron: "30 3 * * 1"
workflow_dispatch:
permissions:
contents: read
security-events: write
concurrency:
group: security-trivy-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
jobs:
trivy:
name: Trivy
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
- name: Build image for scan
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
with:
context: .
push: false
load: true
tags: cve-radar:scan
# Fresh prod install — avoid stale GHA cache layers with old node_modules (Trivy).
no-cache: true
- name: Run Trivy (OS gate)
uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0
with:
image-ref: cve-radar:scan
format: table
severity: HIGH,CRITICAL
ignore-unfixed: true
vuln-type: os
trivyignores: .trivyignore
exit-code: 1
- name: Run Trivy (node-pkg report)
uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0
with:
image-ref: cve-radar:scan
format: table
severity: HIGH,CRITICAL
ignore-unfixed: true
vuln-type: library
trivyignores: .trivyignore
exit-code: 0
- name: Run Trivy (SARIF for GitHub Security)
uses: aquasecurity/trivy-action@a9c7b0f06e461e9d4b4d1711f154ee024b8d7ab8 # v0.36.0
with:
image-ref: cve-radar:scan
format: sarif
output: trivy-results.sarif
exit-code: 0
severity: HIGH,CRITICAL
ignore-unfixed: true
vuln-type: os
scanners: vuln
trivyignores: .trivyignore
- name: Upload Trivy results to GitHub Security
uses: github/codeql-action/upload-sarif@411bbbe57033eedfc1a82d68c01345aa96c737d7 # v4
if: always() && hashFiles('trivy-results.sarif') != ''
with:
sarif_file: trivy-results.sarif
category: container-trivy