Skip to content

Trivy Security Scan #428

Trivy Security Scan

Trivy Security Scan #428

Workflow file for this run

name: Trivy Security Scan
on:
workflow_dispatch:
schedule:
- cron: 0 0 * * * # daily at midnight
workflow_call:
inputs:
image-ref:
type: string
required: false
description: Container Ref to be scanned by Trivy
env:
DOCKER_BUILDKIT: 1
COSIGN_EXPERIMENTAL: 1
jobs:
trivy-repo:
name: Scan repository
runs-on: ubuntu-latest
permissions:
security-events: write # upload security results
steps:
- name: Checkout repo
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get main branch SHA
run: |
git pull origin main:main
echo "BASE_SHA=$(git merge-base --fork-point main)" | tee -a $GITHUB_ENV
- name: Scan repo filesystem
uses: aquasecurity/[email protected]
with:
scan-type: fs
format: sarif
output: trivy-results.sarif
- name: Upload scan results to GitHub Security
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: trivy-results.sarif
ref: refs/heads/main
sha: ${{ env.BASE_SHA }}
trivy-docker:
name: Scan container image
runs-on: ubuntu-latest
permissions:
security-events: write # upload security results
steps:
- name: Checkout repo
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get main branch SHA
run: |
git pull origin main:main
echo "BASE_SHA=$(git merge-base --fork-point main)" | tee -a $GITHUB_ENV
- name: Install Cosign
uses: sigstore/[email protected]
- name: Generate docker-compliant image name
run: |
if [[ -z "$IMAGE_REF" ]]; then
echo "IMAGE_REF=$(echo ${GITHUB_REPOSITORY,,} | sed 's/docker-//'):latest" | tee -a $GITHUB_ENV
else
echo "IMAGE_REF=$IMAGE_REF" | tee -a $GITHUB_ENV
fi
env:
IMAGE_REF: ${{ inputs.image-ref }}
- name: Verify container images
run: |
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp https://github.com/$GITHUB_REPOSITORY/.github/workflows/ \
$IMAGE_REF
- name: Scan container image
uses: aquasecurity/[email protected]
with:
image-ref: ${{ env.IMAGE_REF }}
format: sarif
output: trivy-results.sarif
- name: Upload scan results to GitHub Security
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: trivy-results.sarif
ref: refs/heads/main
sha: ${{ env.BASE_SHA }}