diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 8a227f2..1f0ab11 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -46,13 +46,16 @@ jobs: - name: Push images run: ./build --push - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 with: image-ref: '${{ steps.build.outputs.LATEST_IMAGE_TAG }}' format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' limit-severities-for-sarif: true + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db + TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: diff --git a/.github/workflows/vuln-check.yml b/.github/workflows/vuln-check.yml index 43f068e..52c6d6a 100644 --- a/.github/workflows/vuln-check.yml +++ b/.github/workflows/vuln-check.yml @@ -30,13 +30,16 @@ jobs: docker-images: false # Do not remove locally built images (including trivy scanner) - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 with: image-ref: 'ghcr.io/datadog/dd-trace-java-docker-build:latest' format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' limit-severities-for-sarif: true + env: + TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db + TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3