Skip to content

Commit

Permalink
Update scan-vulns.yaml
Browse files Browse the repository at this point in the history
  • Loading branch information
@binbin-li
binbin-li authored Oct 15, 2024
1 parent 7a24966 commit ec2ee9e
Showing 1 changed file with 9 additions and 2 deletions.
11 changes: 9 additions & 2 deletions .github/workflows/scan-vulns.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,8 @@ jobs:
name: "[Trivy] Scan for vulnerabilities"
runs-on: ubuntu-22.04
timeout-minutes: 15
env:
TRIVY_VERSION: "0.46.0"
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
Expand All @@ -53,6 +55,7 @@ jobs:
scan-ref: '.'
ignore-unfixed: true
scanners: 'vuln'
version: ${{ env.TRIVY_VERSION }}

- name: Build docker images
run: |
Expand All @@ -65,28 +68,32 @@ jobs:
scan-type: 'image'
image-ref: 'localbuild:test'
ignore-unfixed: true
version: ${{ env.TRIVY_VERSION }}

- name: Run Trivy vulnerability scanner on localbuildcrd:test
uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0
with:
scan-type: 'image'
image-ref: 'localbuildcrd:test'
ignore-unfixed: true
version: ${{ env.TRIVY_VERSION }}

- name: Run Trivy vulnerability scanner on localbuild:test and exit on HIGH severity
uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0
with:
scan-type: 'image'
image-ref: 'localbuild:test'
ignore-unfixed: true
severity: 'HIGH'
severity: 'HIGH,CRITICAL'
exit-code: '1'
version: ${{ env.TRIVY_VERSION }}

- name: Run Trivy vulnerability scanner on localbuildcrd:test and exit on HIGH severity
uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0
with:
scan-type: 'image'
image-ref: 'localbuildcrd:test'
ignore-unfixed: true
severity: 'HIGH'
severity: 'HIGH,CRITICAL'
exit-code: '1'
version: ${{ env.TRIVY_VERSION }}

0 comments on commit ec2ee9e

Please sign in to comment.