feat(action): link the pr to solved jira #1518
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # SPDX-FileCopyrightText: 2023 Lifely | |
| # SPDX-License-Identifier: EUPL-1.2+ | |
| # | |
| name: Trivy code scanner | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| # ignore CodeQL analysis when only Markdown files have changed | |
| paths-ignore: | |
| - '**/*.md' | |
| schedule: | |
| - cron: "21 11 * * 0" | |
| permissions: | |
| # Required for uploading SARIF reports | |
| security-events: write | |
| jobs: | |
| build: | |
| name: Run Trivy code scanner | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run Trivy vulnerability scanner in repo mode | |
| # Note that Trivy for Java requires a Gradle lock file. | |
| # We do not use Gradle dependency locking yet because we use Dependabot | |
| # to update our Gradle dependencies and Dependabot does not support Gradle lock | |
| # files yet. See: https://github.com/dependabot/dependabot-core/issues/2222 | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| ignore-unfixed: true | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| # limit the severities even when using Sarif | |
| # or else all vulnerabilities will be reported | |
| limit-severities-for-sarif: true | |
| severity: 'CRITICAL,HIGH' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: 'trivy-results.sarif' |