-
Notifications
You must be signed in to change notification settings - Fork 0
103 lines (86 loc) · 2.71 KB
/
trivy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
name: Trivy Security Scan
on:
workflow_dispatch:
schedule:
- cron: 0 0 * * * # daily at midnight
workflow_call:
inputs:
image-ref:
type: string
required: false
description: Container Ref to be scanned by Trivy
env:
DOCKER_BUILDKIT: 1
COSIGN_EXPERIMENTAL: 1
jobs:
trivy-repo:
name: Scan repository
runs-on: ubuntu-latest
permissions:
security-events: write # upload security results
steps:
- name: Checkout repo
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get main branch SHA
run: |
git pull origin main:main
echo "BASE_SHA=$(git merge-base --fork-point main)" | tee -a $GITHUB_ENV
- name: Scan repo filesystem
uses: aquasecurity/[email protected]
with:
scan-type: fs
format: sarif
output: trivy-results.sarif
- name: Upload scan results to GitHub Security
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: trivy-results.sarif
ref: refs/heads/main
sha: ${{ env.BASE_SHA }}
trivy-docker:
name: Scan container image
runs-on: ubuntu-latest
permissions:
security-events: write # upload security results
steps:
- name: Checkout repo
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Get main branch SHA
run: |
git pull origin main:main
echo "BASE_SHA=$(git merge-base --fork-point main)" | tee -a $GITHUB_ENV
- name: Install Cosign
uses: sigstore/[email protected]
- name: Generate docker-compliant image name
run: |
if [[ -z "$IMAGE_REF" ]]; then
echo "IMAGE_REF=$(echo ${GITHUB_REPOSITORY,,} | sed 's/docker-//'):latest" | tee -a $GITHUB_ENV
else
echo "IMAGE_REF=$IMAGE_REF" | tee -a $GITHUB_ENV
fi
env:
IMAGE_REF: ${{ inputs.image-ref }}
- name: Verify container images
run: |
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp https://github.com/$GITHUB_REPOSITORY/.github/workflows/ \
$IMAGE_REF
- name: Scan container image
uses: aquasecurity/[email protected]
with:
image-ref: ${{ env.IMAGE_REF }}
format: sarif
output: trivy-results.sarif
- name: Upload scan results to GitHub Security
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: trivy-results.sarif
ref: refs/heads/main
sha: ${{ env.BASE_SHA }}