Skip to content

release.yaml test

release.yaml test #182

name: trivy dependency check for package.json
# https://github.com/aquasecurity/trivy-action#usage
# TODO: aquaを使ってインストールして使う形にしたほうがわかりやすいかも
on:
push:
paths:
- "package.json"
- ".github/workflows/react-dependency-check.yaml"
schedule:
# 日曜日の午前0時に実行
- cron: '0 0 * * 0'
defaults:
run:
shell: bash
jobs:
trivy-scan:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: clone application source code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: use trivy
uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # v0.22.0
with:
scan-type: 'fs'
#exit-code: 1
scanners: 'vuln'
vuln-type: 'library'
hide-progress: true
format: 'sarif'
output: 'sca-report.sarif'
severity: 'CRITICAL,HIGH'
- name: save report as pipeline artifact
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: sca-report.sarif
path: sca-report.sarif
- name: publish trivy alerts
uses: github/codeql-action/upload-sarif@a073c66b2accf653a511d88537804dcafa07812e # v2.25.10
with:
sarif_file: 'sca-report.sarif'
category: trivy