From 6ceda7d3044a2d804241e1c9e1ba267fd04b7426 Mon Sep 17 00:00:00 2001 From: mitchell Date: Mon, 26 Aug 2024 15:34:16 -0400 Subject: [PATCH 1/5] First attempt using aquasecurity/trivy-action to scan for CVEs during build. --- .github/workflows/build.yml | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 04e4e3557d..7609780361 100755 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -215,6 +215,16 @@ jobs: shell: bash run: parallelize results Build-Executor + - # === Scan for CVEs (Linux only) === + name: Scan for CVEs + if: runner.os == 'Linux' + uses: aquasecurity/trivy-action@0.20.0 + with: + scan-type: fs + scan-ref: build + format: table + exit-code: 1 + - # === Prepare Windows Cert === name: Prepare Windows Cert shell: bash @@ -426,7 +436,7 @@ jobs: name: Install Go uses: actions/setup-go@v3 with: - go-version: ${{ matrix.go-version }} + go-version: 1.22.x - # === Install State Tool === name: Install State Tool From 707fe6becb2fa914888a4a3198a6c820cdf84073 Mon Sep 17 00:00:00 2001 From: mitchell Date: Mon, 26 Aug 2024 16:09:00 -0400 Subject: [PATCH 2/5] Update build.yml --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7609780361..7cc27a5d40 100755 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -221,7 +221,7 @@ jobs: uses: aquasecurity/trivy-action@0.20.0 with: scan-type: fs - scan-ref: build + scan-ref: '.' format: table exit-code: 1 @@ -436,7 +436,7 @@ jobs: name: Install Go uses: actions/setup-go@v3 with: - go-version: 1.22.x + go-version: 1.20.x - # === Install State Tool === name: Install State Tool From 33bfe8369b742d0bd9b0b6ec4f5a4dc26d35c881 Mon Sep 17 00:00:00 2001 From: mitchell Date: Mon, 26 Aug 2024 16:20:02 -0400 Subject: [PATCH 3/5] Update build.yml --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7cc27a5d40..1912897d7c 100755 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -221,7 +221,7 @@ jobs: uses: aquasecurity/trivy-action@0.20.0 with: scan-type: fs - scan-ref: '.' + scan-ref: build/state format: table exit-code: 1 From afc77921799cfb5d33fee93a6cc0db52cc25f72a Mon Sep 17 00:00:00 2001 From: mitchell Date: Mon, 26 Aug 2024 16:28:51 -0400 Subject: [PATCH 4/5] Update build.yml --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 1912897d7c..e115a31d1f 100755 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -220,7 +220,7 @@ jobs: if: runner.os == 'Linux' uses: aquasecurity/trivy-action@0.20.0 with: - scan-type: fs + scan-type: rootfs scan-ref: build/state format: table exit-code: 1 From 8966cd1c9f1c16bb602266a0f73e5e247ac7bfc6 Mon Sep 17 00:00:00 2001 From: mitchell Date: Mon, 26 Aug 2024 16:33:36 -0400 Subject: [PATCH 5/5] Update build.yml --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e115a31d1f..5608edf211 100755 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -221,7 +221,7 @@ jobs: uses: aquasecurity/trivy-action@0.20.0 with: scan-type: rootfs - scan-ref: build/state + scan-ref: build format: table exit-code: 1