diff --git a/.github/workflows/analysis.yaml b/.github/workflows/analysis.yaml index e5ccd78..276fff9 100644 --- a/.github/workflows/analysis.yaml +++ b/.github/workflows/analysis.yaml @@ -1,43 +1,43 @@ -# name: Analysis +name: Analysis -# on: -# push: -# branches: [main] -# pull_request: -# types: [opened, reopened, synchronize, ready_for_review, converted_to_draft] -# schedule: -# - cron: "29 22 * * 4" +on: + push: + branches: [main] + pull_request: + types: [opened, reopened, synchronize, ready_for_review, converted_to_draft] + schedule: + - cron: "29 22 * * 4" -# permissions: -# contents: read +permissions: + contents: read -# jobs: -# trivy: -# permissions: -# contents: read -# security-events: write -# name: Trivy Security Scan -# if: ${{ ! github.event.pull_request.draft }} -# runs-on: ubuntu-22.04 -# timeout-minutes: 1 -# steps: -# - name: Checkout code -# uses: actions/checkout@v3 +jobs: + trivy: + permissions: + contents: read + security-events: write + name: Trivy Security Scan + if: ${{ ! github.event.pull_request.draft }} + runs-on: ubuntu-22.04 + timeout-minutes: 1 + steps: + - name: Checkout code + uses: actions/checkout@v3 -# - name: Run Trivy vulnerability scanner -# uses: aquasecurity/trivy-action@0.22.0 -# with: -# format: "sarif" -# output: "trivy-results.sarif" -# ignore-unfixed: true -# scan-type: "fs" -# scanners: "vuln,secret,config" -# severity: "CRITICAL,HIGH" + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.22.0 + with: + format: "sarif" + output: "trivy-results.sarif" + ignore-unfixed: true + scan-type: "fs" + scanners: "vuln,secret,config" + severity: "CRITICAL,HIGH" -# - name: Print SARIF file -# run: cat trivy-results.sarif + - name: Print SARIF file + run: cat trivy-results.sarif -# - name: Upload Trivy scan results to GitHub Security tab -# uses: github/codeql-action/upload-sarif@v3 -# with: -# sarif_file: "trivy-results.sarif" \ No newline at end of file + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: "trivy-results.sarif" \ No newline at end of file diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..4034e1a --- /dev/null +++ b/.trivyignore @@ -0,0 +1,2 @@ +# Ignore possible issue with empty URI +AVD-AWS-0112 \ No newline at end of file diff --git a/samNode/template.yaml b/samNode/template.yaml index 872ae86..221a841 100644 --- a/samNode/template.yaml +++ b/samNode/template.yaml @@ -15,7 +15,6 @@ Globals: AWSREGION: !Ref AWSDefaultRegion DYNAMODB_ENDPOINT_URL: "https://dynamodb.ca-central-1.amazonaws.com" - Parameters: Algorithm: Type: String @@ -1490,10 +1489,10 @@ Resources: ############ # S3 Bucket ############ - ParksAssetsS3BucketSAM: - Type: 'AWS::S3::Bucket' - Properties: - BucketName: !Ref S3BucketData + # ParksAssetsS3BucketSAM: + # Type: 'AWS::S3::Bucket' + # Properties: + # BucketName: !Ref S3BucketData ############# # SQS Queues