From ecf6ff04c68217fe7d541fbb258fd5f3181f1a95 Mon Sep 17 00:00:00 2001 From: Binbin Li Date: Tue, 15 Oct 2024 07:38:11 +0000 Subject: [PATCH] ci: replace trivy with trivy-action Signed-off-by: Binbin Li --- .github/workflows/scan-vulns.yaml | 70 ++++++++++++++++++++++--------- 1 file changed, 50 insertions(+), 20 deletions(-) diff --git a/.github/workflows/scan-vulns.yaml b/.github/workflows/scan-vulns.yaml index b2ead2507..ad2d2fb54 100644 --- a/.github/workflows/scan-vulns.yaml +++ b/.github/workflows/scan-vulns.yaml @@ -37,6 +37,8 @@ jobs: name: "[Trivy] Scan for vulnerabilities" runs-on: ubuntu-22.04 timeout-minutes: 15 + env: + TRIVY_VERSION: v0.49.1 steps: - name: Harden Runner uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 @@ -46,30 +48,58 @@ jobs: - name: Check out code into the Go module directory uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 - - name: Download trivy - run: | - pushd $(mktemp -d) - wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz - tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz - echo "$(pwd)" >> $GITHUB_PATH - env: - TRIVY_VERSION: "0.46.0" + - name: Manual Trivy Setup + uses: aquasecurity/setup-trivy@eadb05c36f891dc855bba00f67174a1e61528cd4 # v0.2.1 + with: + cache: true + version: ${{ env.TRIVY_VERSION }} - name: Run trivy on git repository - run: | - trivy fs --format table --ignore-unfixed --scanners vuln . + uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0 + with: + scan-type: 'fs' + scan-ref: '.' + ignore-unfixed: true + scanners: 'vuln' + version: ${{ env.TRIVY_VERSION }} - name: Build docker images run: | make e2e-build-local-ratify-image make e2e-build-crd-image - - name: Run trivy on images for all severity - run: | - for img in "localbuild:test" "localbuildcrd:test"; do - trivy image --ignore-unfixed --vuln-type="os,library" "${img}" - done - - name: Run trivy on images and exit on HIGH severity - run: | - for img in "localbuild:test" "localbuildcrd:test"; do - trivy image --ignore-unfixed --exit-code 1 --severity HIGH --vuln-type="os,library" "${img}" - done + + - name: Run Trivy vulnerability scanner on localbuild:test + uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0 + with: + scan-type: 'image' + image-ref: 'localbuild:test' + ignore-unfixed: true + version: ${{ env.TRIVY_VERSION }} + + - name: Run Trivy vulnerability scanner on localbuildcrd:test + uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0 + with: + scan-type: 'image' + image-ref: 'localbuildcrd:test' + ignore-unfixed: true + version: ${{ env.TRIVY_VERSION }} + + - name: Run Trivy vulnerability scanner on localbuild:test and exit on HIGH severity + uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0 + with: + scan-type: 'image' + image-ref: 'localbuild:test' + ignore-unfixed: true + severity: 'HIGH,CRITICAL' + exit-code: '1' + version: ${{ env.TRIVY_VERSION }} + + - name: Run Trivy vulnerability scanner on localbuildcrd:test and exit on HIGH severity + uses: aquasecurity/trivy-action@5681af892cd0f4997658e2bacc62bd0a894cf564 # 0.27.0 + with: + scan-type: 'image' + image-ref: 'localbuildcrd:test' + ignore-unfixed: true + severity: 'HIGH,CRITICAL' + exit-code: '1' + version: ${{ env.TRIVY_VERSION }} \ No newline at end of file