Skip to content

Trivy vulnerability scanner #701

Trivy vulnerability scanner

Trivy vulnerability scanner #701

Workflow file for this run

# Depending on the location of your Docker container
# you need to change the path to the specific Docker registry.
#
name: "Trivy vulnerability scanner"
on:
workflow_dispatch: # Trigger manually
push:
branches: main
paths-ignore:
- '**/*.md'
- '**/*.txt'
pull_request:
branches: main
paths-ignore:
- '**/*.md'
- '**/*.txt'
schedule:
- cron: '0 0 * * *' # Once a day
jobs:
analyze-config:
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: "config"
ignore-unfixed: true
exit-code: "1"
hide-progress: false
format: "sarif"
output: "trivy-results1.sarif"
severity: "CRITICAL,HIGH"
# full-irs is a demonstration and not intended to run in a production environment, it can be excluded
skip-dirs: "charts/connector/aasregistry,charts/connector/daps,charts/connector/edc-provider,charts/connector/submodelservers,charts/irs-environments/local,local/deployment/full-irs" # skip scanning external images.
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: "trivy-results1.sarif"