-
Notifications
You must be signed in to change notification settings - Fork 301
77 lines (65 loc) · 2.62 KB
/
trivy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# SPDX-License-Identifier: BSD-2-Clause-Patent
# Copyright (c) 2024 Intel Corporation.
name: Trivy scan
on:
workflow_dispatch:
schedule:
- cron: '0 0 * * *'
push:
branches: ["master", "release/**"]
pull_request:
branches: ["master", "release/**"]
# Declare default permissions as nothing.
permissions: {}
jobs:
scan:
name: Scan with Trivy
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run Trivy vulnerability scanner in filesystem mode (table format)
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
with:
scan-type: 'fs'
scan-ref: '.'
trivy-config: 'utils/trivy/trivy.yaml'
- name: Prepare the report to be uploaded to the GitHub artifact store
run: |
mkdir report
cp trivy-report-daos.txt report
cp utils/trivy/.trivyignore report/trivyignore.txt
- name: Upload the report to the GitHub artifact store
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
path: report/*
name: trivy-report-daos
- name: Adjust config file to use sarif format
run: |
sed -i 's/output: "trivy-report-daos.txt"/output: "trivy-results.sarif"/g' \
utils/trivy/trivy.yaml
sed -i 's/format: template/format: sarif/g' utils/trivy/trivy.yaml
- name: Run Trivy vulnerability scanner in filesystem mode (sarif format)
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
with:
scan-type: 'fs'
scan-ref: '.'
trivy-config: 'utils/trivy/trivy.yaml'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a
# 3.25.15 (v3)
with:
sarif_file: 'trivy-results.sarif'
- name: Adjust config file to show and validate scan results
run: |
sed -i 's/output: "trivy-results.sarif"//g' utils/trivy/trivy.yaml
sed -i 's/format: sarif/format: table/g' utils/trivy/trivy.yaml
sed -i 's/exit-code: 0/exit-code: 1/g' utils/trivy/trivy.yaml
- name: Run Trivy vulnerability scanner in filesystem mode (human readable format)
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
with:
scan-type: 'fs'
scan-ref: '.'
trivy-config: 'utils/trivy/trivy.yaml'