1.0.63 Update Hadolint Scan Action #96
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: scan-dockerfiles-with-trivy | |
| # Define when the workflow should be triggered. | |
| on: | |
| # Trigger the workflow on the following events: | |
| # Scan changed files in Pull Requests (diff-aware scanning). | |
| pull_request: {} | |
| # Trigger the workflow on-demand through the GitHub Actions interface. | |
| workflow_dispatch: {} | |
| # Scan mainline branches (main and development) and report all findings. | |
| push: | |
| branches: ["development"] | |
| jobs: | |
| build: | |
| name: Run Trivy on Dockerfile | |
| runs-on: ubuntu-latest | |
| # Define permissions for specific actions | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run Trivy vulnerability scanner in IaC mode | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'config' | |
| hide-progress: false | |
| format: 'sarif' | |
| output: 'dockerfile-trivy-scan-results.sarif' | |
| exit-code: '0' | |
| ignore-unfixed: true | |
| severity: 'CRITICAL,HIGH,MEDIUM' | |
| - name: View Results | |
| run: cat dockerfile-trivy-scan-results.sarif | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@main | |
| if: always() | |
| with: | |
| sarif_file: 'dockerfile-trivy-scan-results.sarif' |