Skip to content

Trivy

Trivy #66

Workflow file for this run

name: Trivy
on:
schedule:
- cron: "0 0 * * *"
workflow_dispatch:
inputs:
branch:
description: 'branch to run scans on'
default: 'main'
type: string
env:
BUILD_TYPE: Release
MTL_BUILD_DISABLE_PCAPNG: true
PREFIX_DIR: /usr/local
DEBIAN_FRONTEND: noninteractive
permissions:
contents: read
jobs:
trivy:
name: Build
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v2
with:
ref: ${{ inputs.branch }}
- name: 'Install dependencies'
run: |
sudo apt-get update -y && \
sudo apt-get install -y --no-install-recommends \
git build-essential meson python3 python3-pyelftools pkg-config \
libnuma-dev libjson-c-dev libpcap-dev libgtest-dev libsdl2-dev \
libsdl2-ttf-dev libssl-dev ca-certificates m4 clang llvm zlib1g-dev \
libelf-dev libcap-ng-dev libcap2-bin gcc-multilib systemtap-sdt-dev ninja-build \
nasm dpdk-dev librdmacm-dev && \
sudo apt-get clean && \
sudo rm -rf /var/lib/apt/lists/*
- name: Build an image from Dockerfile
run: |
cd docker
docker build -t mtl:latest -f ubuntu.dockerfile ../
- name: Run Trivy vulnerability scanner with sarif output
uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0
with:
image-ref: 'mtl:latest'
format: 'sarif'
exit-code: '0'
ignore-unfixed: true
vuln-type: 'os,library'
output: 'Trivy-image-scan-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
if: always()
uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
with:
sarif_file: 'Trivy-image-scan-results.sarif'
- name: Run Trivy vulnerability scanner with with table output
if: always()
uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # v0.23.0
with:
image-ref: 'mtl:latest'
format: 'sarif'
scanners: 'vuln,secret,misconfig'
exit-code: '1'
output: 'Trivy-image-scan-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
with:
sarif_file: 'Trivy-image-scan-results.sarif'
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: trivy-results
path: 'trivy-results.sarif'
format: 'table'
exit-code: '0'
ignore-unfixed: true
vuln-type: 'os,library'
output: 'Trivy-image-scan-results.txt'
- uses: actions/upload-artifact@v4
if: always()
with:
name: trivy-results
path: 'Trivy-image-scan-results.txt'