Feature/1097 track subtask retries #3310
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Platform Vulnerability Scanning | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| - stable** | |
| workflow_dispatch: | |
| inputs: | |
| cve_severity: | |
| description: 'Severities of vulnerabilities to scanned for, [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]' | |
| required: false | |
| default: 'CRITICAL,HIGH' | |
| ignore_unfixed: | |
| description: 'Include unfixed vulnerabilities in scan [true,false]' | |
| required: false | |
| default: 'true' | |
| workflow_call: | |
| inputs: | |
| cve_severity: | |
| description: 'Severities of vulnerabilities to scanned for, [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL]' | |
| required: false | |
| default: 'CRITICAL,HIGH' | |
| type: string | |
| ignore_unfixed: | |
| description: 'Include unfixed vulnerabilities in scan [true,false]' | |
| required: false | |
| default: 'true' | |
| type: string | |
| exit_code: | |
| description: 'Exit code if vulnerabilities found [0,1]' | |
| required: false | |
| default: '1' | |
| type: string | |
| jobs: | |
| scan_repo: | |
| name: Scan Repo | |
| env: | |
| SEVERITY: 'HIGH,CRITICAL' | |
| REPORT: 'repo-results.sarif' | |
| IGNORE_UNFIXED: 'true' | |
| EXIT_CODE: '1' | |
| TRIVY_SKIP_DB_UPDATE: true | |
| TRIVY_SKIP_JAVA_DB_UPDATE: true | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Adding code-scanning URL | |
| run: echo "### [code-scanning results](https://github.com/${{ github.repository }}/security/code-scanning?query=branch%3A${{ github.ref_name }})" >> $GITHUB_STEP_SUMMARY | |
| - name: Set inputs | |
| if: github.event_name == 'workflow_call' || github.event_name == 'workflow_dispatch' | |
| run: | | |
| echo "SEVERITY=${{ inputs.cve_severity }}" >> $GITHUB_ENV | |
| echo "IGNORE_UNFIXED=${{ inputs.ignore_unfixed }}" >> $GITHUB_ENV | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| - name: Trivy vulnerability scanner | |
| if: env.SEVERITY != '' | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| exit-code: '1' | |
| ignore-unfixed: ${{ env.IGNORE_UNFIXED }} | |
| severity: ${{ env.SEVERITY }} | |
| scanners: 'vuln' | |
| skip-dirs: './docker' | |
| - name: Trivy Configuration scanner (no fail) | |
| if: env.SEVERITY != '' | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| exit-code: '0' | |
| ignore-unfixed: ${{ env.IGNORE_UNFIXED }} | |
| severity: ${{ env.SEVERITY }} | |
| scanners: 'config,secret' | |
| skip-dirs: './docker' | |
| - name: Create Report | |
| if: success() || failure() | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| format: 'sarif' | |
| output: ${{ env.REPORT }} | |
| scan-type: 'fs' | |
| exit-code: '0' | |
| ignore-unfixed: ${{ env.IGNORE_UNFIXED }} | |
| scanners: 'vuln' | |
| skip-dirs: './docker' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| if: success() || failure() | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: ${{ env.REPORT }} | |
| - name: Store CVE report | |
| if: success() || failure() | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ env.REPORT }} | |
| path: ${{ env.REPORT }} | |
| retention-days: 3 |