Skip to content

Commit

Permalink
ci: replace trivy with trivy-action
Browse files Browse the repository at this point in the history
Signed-off-by: Binbin Li <[email protected]>
  • Loading branch information
binbin-li committed Oct 15, 2024
1 parent 1ecd21f commit 2a860ca
Showing 1 changed file with 38 additions and 21 deletions.
59 changes: 38 additions & 21 deletions .github/workflows/scan-vulns.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -46,30 +46,47 @@ jobs:
- name: Check out code into the Go module directory
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871

- name: Download trivy
run: |
pushd $(mktemp -d)
wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
echo "$(pwd)" >> $GITHUB_PATH
env:
TRIVY_VERSION: "0.46.0"

- name: Run trivy on git repository
run: |
trivy fs --format table --ignore-unfixed --scanners vuln .
uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0
with:
scan-type: 'fs'
scan-ref: '.'
ignore-unfixed: true
scanners: 'vuln'

- name: Build docker images
run: |
make e2e-build-local-ratify-image
make e2e-build-crd-image
- name: Run trivy on images for all severity
run: |
for img in "localbuild:test" "localbuildcrd:test"; do
trivy image --ignore-unfixed --vuln-type="os,library" "${img}"
done
- name: Run trivy on images and exit on HIGH severity
run: |
for img in "localbuild:test" "localbuildcrd:test"; do
trivy image --ignore-unfixed --exit-code 1 --severity HIGH --vuln-type="os,library" "${img}"
done
- name: Run Trivy vulnerability scanner on localbuild:test
uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0
with:
scan-type: 'image'
image-ref: 'localbuild:test'
ignore-unfixed: true

- name: Run Trivy vulnerability scanner on localbuildcrd:test
uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0
with:
scan-type: 'image'
image-ref: 'localbuildcrd:test'
ignore-unfixed: true

- name: Run Trivy vulnerability scanner on localbuild:test and exit on HIGH severity
uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0
with:
scan-type: 'image'
image-ref: 'localbuild:test'
ignore-unfixed: true
severity: 'HIGH'
exit-code: '1'

- name: Run Trivy vulnerability scanner on localbuildcrd:test and exit on HIGH severity
uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0
with:
scan-type: 'image'
image-ref: 'localbuildcrd:test'
ignore-unfixed: true
severity: 'HIGH'
exit-code: '1'

0 comments on commit 2a860ca

Please sign in to comment.