digitalservicebund · manuelpuchta · Oct 10, 2024 · Oct 9, 2024 · Oct 9, 2024 · Oct 9, 2024
diff --git a/.github/workflows/pipeline.yml b/.github/workflows/pipeline.yml
@@ -150,8 +150,12 @@ jobs:
         # Third-party action, pin to commit SHA!
         # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
         uses: aquasecurity/trivy-action@a20de5420d57c4102486cdd9578b45609c99d7eb # v0.26.0
+        env:
+          # specify multiple registries: try default GitHub registry, if too many requests, use the aws mirror
+          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
         with:
           image-ref: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          scanners: "vuln"
           format: "cosign-vuln"
           output: "vulnerabilities.json"
 

diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml
@@ -23,28 +23,27 @@ jobs:
       - name: Validate github workflow files to have pinned versions
         uses: digitalservicebund/github-actions-linter@3b941278d52936497add0afdebbf5c6e6ee8bd5d # v0.1.11
 
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@a20de5420d57c4102486cdd9578b45609c99d7eb # v0.26.0
+        env:
+          # specify multiple registries: try default GitHub registry, if too many requests, use the aws mirror
+          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
+        with:
+          scanners: "vuln"
+          scan-type: "fs"
+          format: "sarif"
+          output: "trivy-results.sarif"
+          severity: "CRITICAL,HIGH"
+          exit-code: "1" # Fail the build!
 
-      # - name: Run Trivy vulnerability scanner
-      #   uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
-      #   env:
-      #     TRIVY_USERNAME: ${{ github.actor }}
-      #     TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
-      #   with:
-      #     scan-type: "fs"
-      #     skip-dirs: "node_modules" # See https://github.com/aquasecurity/trivy/issues/1283
-      #     format: "sarif"
-      #     output: "trivy-results.sarif"
-      #     severity: "CRITICAL,HIGH"
-      #     exit-code: "1" # Fail the build!
-
-      # - name: Upload Trivy scan results to GitHub Security tab
-      #   uses: github/codeql-action/upload-sarif@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11
-      #   if: always() # Bypass non-zero exit code..
-      #   with:
-      #     sarif_file: "trivy-results.sarif"
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@6db8d6351fd0be61f9ed8ebd12ccd35dcec51fea # v3.26.11
+        if: always() # Bypass non-zero exit code..
+        with:
+          sarif_file: "trivy-results.sarif"
 
-      # - name: Send status to Slack
-      #   uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
-      #   if: ${{ failure() }}
-      #   with:
-      #     SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      - name: Send status to Slack
+        uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
+        if: ${{ failure() }}
+        with:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}