diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000000..f0708b6289 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,72 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: Trivy vulnerability scanner + +on: + push: + branches: + - '*' + pull_request: + branches: + - '*' + #schedule: + # - cron: '39 17 * * 3' + +permissions: + contents: read + +jobs: + build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: write # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Build + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + #- name: Build an image from Dockerfile + # run: | + # docker build -t docker.io/my-organization/my-app:${{ github.sha }} . + + - name: Run Trivy vulnerability scanner in fs mode + uses: aquasecurity/trivy-action@master + with: + # image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' + scan-type: 'fs' + scan-ref: '.' + #exit-code: '0' + #ignore-unfixed: true + format: 'sarif' + #vuln-type: 'os,library' + severity: 'CRITICAL,HIGH,MEDIUM' + #template: '/sarif.tpl' + output: 'trivy-results.sarif' + #skip-dirs: "ignored-dir" + #trivy-config: trivy.yaml + + #- name: Upload Trivy scan results as artifact + # uses: actions/upload-artifact@v2 + # with: + # name: trivy-results + # path: trivy-results.sarif + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' + + + #- name: Create Pull Request + # uses: peter-evans/create-pull-request@v5 + # with: + # commit-message: update vulnerability list + # title: 'ci: Update vulnerability list' + # body: Update the vulnerability list + # branch: update-vulnerabilities + # base: master