From 014b28df848564d46400b3fd548f662b00f9d50e Mon Sep 17 00:00:00 2001 From: Francesco Bartoli Date: Sun, 7 Jan 2024 00:59:10 +0100 Subject: [PATCH] Use trivy action Use trivy action --- .github/workflows/vulnerabilities.yml | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/.github/workflows/vulnerabilities.yml b/.github/workflows/vulnerabilities.yml index 0b48815a4..78a06ee2e 100644 --- a/.github/workflows/vulnerabilities.yml +++ b/.github/workflows/vulnerabilities.yml @@ -27,16 +27,23 @@ jobs: - name: Checkout pygeoapi uses: actions/checkout@v4 - name: Scan vulnerabilities with trivy - run: | - sudo apt-get install -y wget apt-transport-https gnupg lsb-release - wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null - echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list - sudo apt-get update - sudo apt-get install -y trivy - trivy --exit-code 1 fs --scanners vuln,misconfig,secret --severity HIGH,CRITICAL --ignore-unfixed . + uses: aquasecurity/trivy-action@master + with: + scan-type: fs + exit-code: 1 + ignore-unfixed: true + severity: CRITICAL,HIGH + scanners: vuln,misconfig,secret + scan-ref: . - name: Build locally the image from Dockerfile run: | docker buildx build -t ${{ env.DOCKER_REPOSITORY }}:${{ github.sha }} --platform linux/amd64 --no-cache -f Dockerfile . - name: Scan locally built Docker image for vulnerabilities with trivy - run: | - trivy --exit-code 1 image --severity HIGH,CRITICAL ${{ env.DOCKER_REPOSITORY }}:${{ github.sha }} --ignore-unfixed + uses: aquasecurity/trivy-action@master + with: + scan-type: image + exit-code: 1 + ignore-unfixed: true + severity: CRITICAL,HIGH + vuln-type: os,library + image-ref: '${{ env.DOCKER_REPOSITORY }}:${{ github.sha }}'