From a8c969b031a1790559f8c746fee0df9c3e674a1b Mon Sep 17 00:00:00 2001 From: Emanuela Epure <67077116+emanuelaepure10@users.noreply.github.com> Date: Tue, 28 May 2024 10:53:41 +0200 Subject: [PATCH] feat: scanning the entire repository --- .github/workflows/trivy.yml | 40 +++++++++++++++++++++++++------------ 1 file changed, 27 insertions(+), 13 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 183231164e..7782f25588 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -26,6 +26,7 @@ jobs: actions: write # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Build runs-on: ubuntu-latest + steps: - name: Checkout code uses: actions/checkout@v4 @@ -34,19 +35,19 @@ jobs: # run: | # docker build -t docker.io/my-organization/my-app:${{ github.sha }} . - - name: Run Trivy vulnerability scanner in fs mode - uses: aquasecurity/trivy-action@master - with: + #- name: Run Trivy vulnerability scanner in fs mode + # uses: aquasecurity/trivy-action@master + # with: # image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' - scan-type: 'fs' - scan-ref: '.' + #scan-type: 'fs' + #scan-ref: '.' #exit-code: '0' #ignore-unfixed: true - format: 'sarif' + #format: 'sarif' #vuln-type: 'os,library' - severity: 'CRITICAL,HIGH,MEDIUM' + #severity: 'CRITICAL,HIGH,MEDIUM' #template: '/sarif.tpl' - output: 'trivy-results.sarif' + #output: 'trivy-results.sarif' #skip-dirs: "ignored-dir" #trivy-config: trivy.yaml @@ -56,10 +57,10 @@ jobs: # name: trivy-results # path: trivy-results.sarif - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 - with: - sarif_file: 'trivy-results.sarif' + #- name: Upload Trivy scan results to GitHub Security tab + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: 'trivy-results.sarif' #- name: Create Pull Request @@ -69,4 +70,17 @@ jobs: # title: 'ci: Update vulnerability list' # body: Update the vulnerability list # branch: update-vulnerabilities - # base: master \ No newline at end of file + # base: master + + + - name: Install Trivy + run: | + sudo apt-get update + sudo apt-get install wget -y + wget https://github.com/aquasecurity/trivy/releases/download/v0.34.0/trivy_0.34.0_Linux-64bit.deb + sudo dpkg -i trivy_0.34.0_Linux-64bit.deb + + - name: Scan the entire repository + run: | + echo "Scanning the entire repository..." + trivy fs . \ No newline at end of file