Trivy

feat: auto reload deployment when config change #244

Workflow file for this run

	name: Trivy
	on:
	push:
	branches:
	- main
	pull_request:
	permissions:
	contents: read
	security-events: write
	jobs:
	scan:
	name: Security Scan
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 #v4.2.1

	- name: JFrog Login
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0
	with:
	registry: nethermind.jfrog.io
	username: ${{ secrets.ARTIFACTORY_ANGKOR_USERNAME }}
	password: ${{ secrets.ARTIFACTORY_ANGKOR_TOKEN_DEVELOPER }}

	- name: Set up Helm
	uses: azure/setup-helm@v3
	with:
	version: v3.12.1

	- name: Update Chart Dependencies
	run: \|
	for dir in charts/*/; do
	if [ -f "${dir}Chart.yaml" ]; then
	helm dependency update "$dir"
	fi
	done

	- name: Package Charts
	run: \|
	WORKSPACE="${GITHUB_WORKSPACE:-$(pwd)}"
	TRIVY_CHARTS_DIR="${WORKSPACE}/.trivy-charts"
	mkdir -p "$TRIVY_CHARTS_DIR"
	for dir in charts/*/; do
	if [ -f "${dir}Chart.yaml" ]; then
	echo "Packaging ${dir} to ${TRIVY_CHARTS_DIR}"
	helm package "$dir" -d "$TRIVY_CHARTS_DIR"
	fi
	done
	echo "Contents of ${TRIVY_CHARTS_DIR}:"
	ls -la "$TRIVY_CHARTS_DIR"

	- name: Manual Trivy Setup
	uses: aquasecurity/setup-trivy@ff1b8b060f23b650436d419b5e13f67f5d4c3087 #v0.2.2
	with:
	cache: true
	version: v0.57.1

	- name: Generate Trivy SARIF Report
	uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 #v0.29.0
	with:
	scan-type: 'fs'
	scan-ref: '${{ github.workspace }}/charts'
	format: 'sarif'
	output: 'trivy-results.sarif'
	exit-code: '0'
	trivyignores: '.trivyignore.yaml'
	scanners: 'misconfig,secret'
	skip-setup-trivy: true
	severity: 'CRITICAL,HIGH,MEDIUM,LOW'
	env:
	TRIVY_USERNAME: ${{ secrets.ARTIFACTORY_ANGKOR_USERNAME }}
	TRIVY_PASSWORD: ${{ secrets.ARTIFACTORY_ANGKOR_TOKEN_DEVELOPER }}
	TRIVY_DB_REPOSITORY: mirror.gcr.io/aquasec/trivy-db:2
	TRIVY_CHECKS_BUNDLE_REPOSITORY: nethermind.jfrog.io/angkor-oci-local-staging/trivy-checks:latest
	TRIVY_DEBUG: true

	- name: Upload Trivy scan results
	uses: github/codeql-action/upload-sarif@5618c9fc1e675841ca52c1c6b1304f5255a905a0 #v2.19.0
	if: always()
	with:
	sarif_file: 'trivy-results.sarif'

	- name: Fail on High/Critical Issues
	uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 #v0.29.0
	with:
	scan-type: 'fs'
	scan-ref: '${{ github.workspace }}/charts'
	format: 'table'
	severity: 'CRITICAL,HIGH'
	exit-code: '1'
	scanners: 'misconfig,secret'
	timeout: '10m'
	trivyignores: '.trivyignore.yaml'
	limit-severities-for-sarif: true
	skip-setup-trivy: true
	env:
	TRIVY_USERNAME: ${{ secrets.ARTIFACTORY_ANGKOR_USERNAME }}
	TRIVY_PASSWORD: ${{ secrets.ARTIFACTORY_ANGKOR_TOKEN_DEVELOPER }}
	TRIVY_DB_REPOSITORY: mirror.gcr.io/aquasec/trivy-db:2
	TRIVY_CHECKS_BUNDLE_REPOSITORY: nethermind.jfrog.io/angkor-oci-local-staging/trivy-checks:latest
	TRIVY_DEBUG: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: auto reload deployment when config change #244

Workflow file

feat: auto reload deployment when config change #244

Jobs

Run details

Workflow file for this run