Skip to content

Commit

Permalink
Use trivy action
Browse files Browse the repository at this point in the history
Use trivy action
  • Loading branch information
francbartoli committed Jan 6, 2024
1 parent 4529e4f commit 014b28d
Showing 1 changed file with 16 additions and 9 deletions.
25 changes: 16 additions & 9 deletions .github/workflows/vulnerabilities.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,16 +27,23 @@ jobs:
- name: Checkout pygeoapi
uses: actions/checkout@v4
- name: Scan vulnerabilities with trivy
run: |
sudo apt-get install -y wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install -y trivy
trivy --exit-code 1 fs --scanners vuln,misconfig,secret --severity HIGH,CRITICAL --ignore-unfixed .
uses: aquasecurity/trivy-action@master
with:
scan-type: fs
exit-code: 1
ignore-unfixed: true
severity: CRITICAL,HIGH
scanners: vuln,misconfig,secret
scan-ref: .
- name: Build locally the image from Dockerfile
run: |
docker buildx build -t ${{ env.DOCKER_REPOSITORY }}:${{ github.sha }} --platform linux/amd64 --no-cache -f Dockerfile .
- name: Scan locally built Docker image for vulnerabilities with trivy
run: |
trivy --exit-code 1 image --severity HIGH,CRITICAL ${{ env.DOCKER_REPOSITORY }}:${{ github.sha }} --ignore-unfixed
uses: aquasecurity/trivy-action@master
with:
scan-type: image
exit-code: 1
ignore-unfixed: true
severity: CRITICAL,HIGH
vuln-type: os,library
image-ref: '${{ env.DOCKER_REPOSITORY }}:${{ github.sha }}'

0 comments on commit 014b28d

Please sign in to comment.