Merge pull request #82 from paullockaby/add-trivy

feat: enable trivy scanning in pipelines
paullockaby · Dec 8, 2024 · 6761241 · 6761241
2 parents eb9c03d + 7b537bc
commit 6761241
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 3 deletions.
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -5,6 +5,7 @@ on:
 
 jobs:
   pre-commit:
+    if: github.event_name == 'pull_request'
     runs-on: ubuntu-latest
 
     permissions:
@@ -24,11 +25,31 @@ jobs:
         env:
           SKIP: no-commit-to-branch
 
-  test:
+  security:
     runs-on: ubuntu-latest
 
-    needs:
-      - pre-commit
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup trivy
+        uses: aquasecurity/[email protected]
+        with:
+          cache: true
+          version: latest
+
+      - name: Run trivy configuration checks
+        run: |
+          trivy config . --config=.trivy.yaml --ignorefile=.trivyignore
+
+      - name: Run trivy filesystem checks
+        run: |
+          trivy filesystem . --config=.trivy.yaml --ignorefile=.trivyignore --no-progress
+
+  test:
+    runs-on: ubuntu-latest
 
     permissions:
       contents: read

diff --git a/.trivy.yaml b/.trivy.yaml
@@ -0,0 +1,8 @@
+exit-code: 1
+
+severity:
+  - HIGH
+  - CRITICAL
+
+scan:
+  skip-dirs: []
diff --git a/.trivyignore b/.trivyignore