Update trivy scanning to use actions (#3169)

openvinotoolkit · Mar 21, 2024 · 176cdf5 · 176cdf5
1 parent bec32b6
commit 176cdf5
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 10 deletions.
diff --git a/.ci/trivy.yaml b/.ci/trivy.yaml
@@ -9,3 +9,8 @@ scan:
 severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
 vulnerability:
   ignore-unfixed: false
+format: template
+template: "@.ci/csv.tmpl"
+output: trivy-results.csv
+list-all-pkgs: true
+debug: true
diff --git a/.github/workflows/code_scan.yaml b/.github/workflows/code_scan.yaml
@@ -4,6 +4,7 @@ on:
   workflow_dispatch: # run on request (no need for PR)
   push:
     branches:
+      - "develop"
       - "releases/*"
   schedule:
     # every UTC 6PM from Mon to Fri
@@ -14,7 +15,7 @@ permissions: read-all
 
 jobs:
   Trivy-scan:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
@@ -23,21 +24,23 @@ jobs:
         with:
           python-version: "3.10"
       - name: Install dependencies
-        run: python -m pip install --require-hashes --no-deps -r .ci/tox-deps.txt
+        run: python -m pip install --require-hashes --no-deps -r .ci/piptools-deps.txt
+      - name: Freeze dependencies
+        run: pip-compile --extra=docs,base,mmlab,anomaly -o requirements.txt pyproject.toml
       - name: Trivy Scanning
-        env:
-          TRIVY_DOWNLOAD_URL: ${{ vars.TRIVY_DOWNLOAD_URL }}
-        run: tox -vv -e trivy-scan
+        uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # 0.18.0
+        with:
+          trivy-config: ".ci/trivy.yaml"
+          scan-type: "fs"
+          scan-ref: .
+          scanners: vuln,secret
       - name: Upload Trivy results artifact
         uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: trivy-results
-          path: |
-            .tox/trivy-spdx-otx.json
-            .tox/trivy-results-otx.txt
-            .tox/trivy-results-otx.csv
+          path: "${{ github.workspace }}/trivy-results.csv"
   Bandit:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1