|
1 | | -# This workflow uses actions that are not certified by GitHub. |
2 | | -# They are provided by a third-party and are governed by |
3 | | -# separate terms of service, privacy policy, and support |
4 | | -# documentation. |
5 | | - |
6 | | -name: trivy |
7 | | - |
| 1 | +name: Trivy |
8 | 2 | on: |
9 | | - push: |
10 | | - branches: [ "main" ] |
11 | | - pull_request: |
12 | | - # The branches below must be a subset of the branches above |
13 | | - branches: [ "main" ] |
14 | | - schedule: |
15 | | - - cron: '25 2 * * 0' |
16 | | - |
17 | | -permissions: |
| 3 | + workflow_dispatch: |
| 4 | + |
| 5 | +permissions: # added using https://github.com/step-security/secure-repo |
18 | 6 | contents: read |
19 | 7 |
|
20 | 8 | jobs: |
21 | | - build: |
| 9 | + trivy-scan: |
22 | 10 | permissions: |
23 | | - contents: read # for actions/checkout to fetch code |
24 | | - security-events: write # for github/codeql-action/upload-sarif to upload SARIF results |
25 | | - actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status |
26 | | - name: Build |
| 11 | + contents: read # for actions/checkout to fetch code |
| 12 | + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results |
| 13 | + name: Trivy Scan |
27 | 14 | runs-on: ubuntu-latest |
28 | 15 | steps: |
29 | | - - name: Checkout code |
30 | | - uses: actions/checkout@v4 |
31 | | - |
32 | | - - name: Build an image from Dockerfile |
33 | | - run: | |
34 | | - docker build -t docker.io/my-organization/my-app:${{ github.sha }} . |
| 16 | + - name: Harden the runner (Audit all outbound calls) |
| 17 | + uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0 |
| 18 | + with: |
| 19 | + egress-policy: audit |
35 | 20 |
|
36 | | - - name: Run Trivy vulnerability scanner |
37 | | - uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe |
| 21 | + - name: Checkout code |
| 22 | + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 |
| 23 | + |
| 24 | + - name: Run Trivy vulnerability scanner in repo mode |
| 25 | + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0 |
38 | 26 | with: |
39 | | - image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' |
40 | | - format: 'template' |
41 | | - template: '@/contrib/sarif.tpl' |
| 27 | + scan-type: 'fs' |
| 28 | + ignore-unfixed: true |
| 29 | + format: 'sarif' |
42 | 30 | output: 'trivy-results.sarif' |
43 | | - severity: 'CRITICAL,HIGH' |
44 | | - |
| 31 | + severity: 'CRITICAL, HIGH, MEDIUM, LOW' |
| 32 | + - name: Upload trivy results |
| 33 | + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 |
| 34 | + with: |
| 35 | + name: trivy-results |
| 36 | + path: trivy-results.sarif |
45 | 37 | - name: Upload Trivy scan results to GitHub Security tab |
46 | | - uses: github/codeql-action/upload-sarif@v3 |
| 38 | + uses: github/codeql-action/upload-sarif@1b549b9259bda1cb5ddde3b41741a82a2d15a841 # v3.28.13 |
47 | 39 | with: |
48 | 40 | sarif_file: 'trivy-results.sarif' |
0 commit comments