Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add trivy scan #4

Merged
merged 20 commits into from
May 10, 2024
Merged

add trivy scan #4

Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
195f563
test trivy scanner
rkm May 2, 2024
883a5d0
use master
rkm May 2, 2024
557c615
fix syntax
rkm May 2, 2024
3dca043
only scan for vulns not secrets
rkm May 2, 2024
e2256f0
only run if image built
rkm May 2, 2024
6863751
debug
rkm May 2, 2024
7c97ccb
don't prune trivy image
rkm May 2, 2024
e5b2c86
add test package
rkm May 2, 2024
9bbace5
test known bad image
rkm May 2, 2024
78ad1f5
remove debug
rkm May 2, 2024
bd465a3
upload trivy report to GHA
rkm May 2, 2024
07b7dc1
trigger FSL build
rkm May 2, 2024
8fe490d
add skip
rkm May 2, 2024
f4d9f97
trigger fsl build
rkm May 2, 2024
2d6e694
Upload report even if Trivy scan failed
rkm May 2, 2024
31bf4d5
trigger build
rkm May 2, 2024
30a3a19
remove temporary changes
rkm May 3, 2024
098d0f7
remove exit-code on error
rkm May 10, 2024
66b6706
trigger build
rkm May 10, 2024
9fb596f
[skip ci] remove test
rkm May 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 16 additions & 1 deletion .github/workflows/main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,6 @@ jobs:
sudo rm -rf /usr/local/share/boost
sudo rm -rf /opt/ghc
sudo rm -rf "$AGENT_TOOLSDIRECTORY"
sudo docker image prune --all --force
df -h
- name: build image
if: env.SKIP == '0'
Expand All @@ -56,6 +55,22 @@ jobs:
docker tag "$img:$tag" "$img:latest"
echo "img=$img" >> "$GITHUB_ENV"
echo "tag=$tag" >> "$GITHUB_ENV"
- name: run trivy
if: env.SKIP == '0'
uses: aquasecurity/trivy-action@master
with:
image-ref: "${{ env.img }}:${{ env.tag }}"
format: 'github'
output: 'dependency-results.sbom.json'
github-pat: "${{ secrets.GITHUB_TOKEN }}"
severity: 'MEDIUM,CRITICAL,HIGH'
scanners: "vuln"
- name: upload trivy report
if: env.SKIP == '0' && !cancelled()
uses: actions/upload-artifact@v4
with:
name: 'trivy-sbom-report-${{ matrix.package }}'
path: 'dependency-results.sbom.json'
- name: push image
if: env.SKIP == '0' && github.ref == 'refs/heads/main'
run: |
Expand Down