Revert "Use the trivy action instead of hand-roll"

This reverts commit c8e739c.
authzed · Oct 28, 2024 · b83dc23 · b83dc23
1 parent c8e739c
commit b83dc23
Showing 1 changed file with 4 additions and 11 deletions.
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
@@ -77,14 +77,7 @@ jobs:
           GORELEASER_KEY: "${{ secrets.GORELEASER_KEY }}"
       - name: "Obtain container image to scan"
         run: 'echo "IMAGE_VERSION=$(jq .version dist/linux_amd64_v1/metadata.json --raw-output)" >> $GITHUB_ENV'
-      - uses: "aquasecurity/trivy-action@master"
-        name: "run trivy on release image"
-        with:
-          scan-type: "image"
-          scan-ref: "authzed/spicedb:v${{ env.IMAGE_VERSION }}-amd64"
-          ignore-unfixed: true
-          format: "table"
-          exit-code: "1"
-          severity: "CRITICAL,HIGH,MEDIUM"
-          # We already set up trivy in a previous step
-          skip-setup-trivy: true
+      - name: "run trivy on release image"
+        # NOTE: the --registry-token flag is used to ensure that we're making an authenticated request to ghcr; otherwise we get
+        # rate-limited.
+        run: "docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image --registry-token ${{ secrets.GITHUB_TOKEN }} --format table --exit-code 1 --ignore-unfixed --no-progress --severity CRITICAL,HIGH,MEDIUM authzed/spicedb:v${{ env.IMAGE_VERSION }}-amd64"