Skip to content

DAOS-623 ci: Add a workflow for Trivy scan #2

DAOS-623 ci: Add a workflow for Trivy scan

DAOS-623 ci: Add a workflow for Trivy scan #2

Workflow file for this run

name: Trivy scan
on:
pull_request:
branches: ["master", "release/**"]
# Declare default permissions as nothing.
permissions: {}
jobs:
build:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
with:
scan-type: 'fs'
scan-ref: '.'
trivy-config: 'utils/trivy/trivy.yaml'
- name: Prepare the report to be uploaded to the GitHub artifact store
run: |
mkdir report
cp trivy-report-daos.txt report
cp utils/trivy/.trivyignore report/trivyignore.txt
- name: Upload the report to the GitHub artifact store
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
path: report/*
name: trivy-report-daos
- name: Adjust config file to use sarif format
run: |
sed -i 's/output: "trivy-report-daos.txt"/output: "trivy-results.sarif"/g' \
utils/trivy/trivy.yaml
sed -i 's/format: template/format: sarif/g' utils/trivy/trivy.yaml
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
with:
scan-type: 'fs'
scan-ref: '.'
trivy-config: 'utils/trivy/trivy.yaml'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
- name: Adjust config file to show and validate scan results
run: |
sed -i 's/output: "trivy-results.sarif"//g' utils/trivy/trivy.yaml
sed -i 's/format: template/format: table/g' utils/trivy/trivy.yaml
sed -i 's/exit-code: 0/exit-code: 1/g' utils/trivy/trivy.yaml
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
with:
scan-type: 'fs'
scan-ref: '.'
trivy-config: 'utils/trivy/trivy.yaml'