diff --git a/.github/.trivyignore b/.github/.trivyignore new file mode 100644 index 00000000..0d0839f3 --- /dev/null +++ b/.github/.trivyignore @@ -0,0 +1,6 @@ +# ignore known CVEs that are not backported before Go 1.17 + +CVE-2022-41721 +CVE-2022-41717 +CVE-2022-41723 +CVE-2022-32149 diff --git a/.github/trivy.yaml b/.github/trivy.yaml new file mode 100644 index 00000000..7337ce08 --- /dev/null +++ b/.github/trivy.yaml @@ -0,0 +1,4 @@ +timeout: 20m +scan: + offline-scan: true +ignore-file: .github/.trivyignore diff --git a/.github/workflows/scanning.yml b/.github/workflows/scanning.yml new file mode 100644 index 00000000..83a36233 --- /dev/null +++ b/.github/workflows/scanning.yml @@ -0,0 +1,22 @@ +name: Vulnerability scanning + +on: + push: + branches: [master] + pull_request: + branches: [master] + +jobs: + scan: + name: Scan for known vulnerabilities + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v2 + + - name: Run Github Trivy FS Action + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: '.' + trivy-config: .github/trivy.yaml