ci: replace trivy with trivy-action (#1871)

Signed-off-by: Binbin Li <[email protected]>
ratify-project · Oct 16, 2024 · 6376762 · 6376762
1 parent 85781cc
commit 6376762
Showing 1 changed file with 50 additions and 20 deletions.
diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml
@@ -37,6 +37,8 @@ jobs:
     name: "[Trivy] Scan for vulnerabilities"
     runs-on: ubuntu-22.04
     timeout-minutes: 15
+    env:
+      TRIVY_VERSION: v0.49.1
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
@@ -46,30 +48,58 @@ jobs:
       - name: Check out code into the Go module directory
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
 
-      - name: Download trivy
-        run: |
-          pushd $(mktemp -d)
-          wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
-          tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz
-          echo "$(pwd)" >> $GITHUB_PATH
-        env:
-          TRIVY_VERSION: "0.46.0"
+      - name: Manual Trivy Setup
+        uses: aquasecurity/setup-trivy@eadb05c36f891dc855bba00f67174a1e61528cd4 # v0.2.1
+        with:
+          cache: true
+          version: ${{ env.TRIVY_VERSION }}
 
       - name: Run trivy on git repository
-        run: |
-          trivy fs --format table --ignore-unfixed --scanners vuln .
+        uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          ignore-unfixed: true
+          scanners: 'vuln'
+          version: ${{ env.TRIVY_VERSION }}
 
       - name: Build docker images
         run: |
           make e2e-build-local-ratify-image
           make e2e-build-crd-image
-      - name: Run trivy on images for all severity
-        run: |
-          for img in "localbuild:test" "localbuildcrd:test"; do
-              trivy image --ignore-unfixed --vuln-type="os,library" "${img}"
-          done
-      - name: Run trivy on images and exit on HIGH severity
-        run: |
-          for img in "localbuild:test" "localbuildcrd:test"; do
-              trivy image --ignore-unfixed --exit-code 1 --severity HIGH --vuln-type="os,library" "${img}"
-          done
+      
+      - name: Run Trivy vulnerability scanner on localbuild:test
+        uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0
+        with:
+          scan-type: 'image'
+          image-ref: 'localbuild:test'
+          ignore-unfixed: true
+          version: ${{ env.TRIVY_VERSION }}
+
+      - name: Run Trivy vulnerability scanner on localbuildcrd:test
+        uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0
+        with:
+          scan-type: 'image'
+          image-ref: 'localbuildcrd:test'
+          ignore-unfixed: true
+          version: ${{ env.TRIVY_VERSION }}
+
+      - name: Run Trivy vulnerability scanner on localbuild:test and exit on HIGH severity
+        uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0
+        with:
+          scan-type: 'image'
+          image-ref: 'localbuild:test'
+          ignore-unfixed: true
+          severity: 'HIGH,CRITICAL'
+          exit-code: '1'
+          version: ${{ env.TRIVY_VERSION }}
+
+      - name: Run Trivy vulnerability scanner on localbuildcrd:test and exit on HIGH severity
+        uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0
+        with:
+          scan-type: 'image'
+          image-ref: 'localbuildcrd:test'
+          ignore-unfixed: true
+          severity: 'HIGH,CRITICAL'
+          exit-code: '1'
+          version: ${{ env.TRIVY_VERSION }}