Skip to content

feat: add trivy vulnerability check #12

feat: add trivy vulnerability check

feat: add trivy vulnerability check #12

Workflow file for this run

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: Trivy vulnerability scanner
on:
push:
branches:
- '*'
pull_request:
branches:
- '*'
#schedule:
# - cron: '39 17 * * 3'
permissions:
contents: read
jobs:
build:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: write # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Build
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
#- name: Build an image from Dockerfile
# run: |
# docker build -t docker.io/my-organization/my-app:${{ github.sha }} .
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@master
with:
# image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}'
scan-type: 'fs'
scan-ref: '.'
#exit-code: '0'
#ignore-unfixed: true
format: 'sarif'
#vuln-type: 'os,library'
severity: 'CRITICAL,HIGH,MEDIUM'
#template: '/sarif.tpl'
output: 'trivy-results.sarif'
#skip-dirs: "ignored-dir"
#trivy-config: trivy.yaml
#- name: Upload Trivy scan results as artifact
# uses: actions/upload-artifact@v2
# with:
# name: trivy-results
# path: trivy-results.sarif
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
#- name: Create Pull Request
# uses: peter-evans/create-pull-request@v5
# with:
# commit-message: update vulnerability list
# title: 'ci: Update vulnerability list'
# body: Update the vulnerability list
# branch: update-vulnerabilities
# base: master