Dave Henderson
ee8a549fdd
* CI: Add Trivy GitHub Action Signed-off-by: Dave Henderson <dave.henderson@grafana.com> * Remove obsolete Snyk workflow Signed-off-by: Dave Henderson <dave.henderson@grafana.com> --------- Signed-off-by: Dave Henderson <dave.henderson@grafana.com>
48 lines
1.6 KiB
YAML
48 lines
1.6 KiB
YAML
name: Trivy Scan
|
|
on:
|
|
pull_request:
|
|
push:
|
|
branches:
|
|
- main
|
|
|
|
jobs:
|
|
trivy-scan:
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Run Trivy vulnerability scanner (table output)
|
|
uses: aquasecurity/trivy-action@0.22.0
|
|
with:
|
|
# scan the filesystem, rather than building a Docker image prior - the
|
|
# downside is we won't catch dependencies that are only installed in the
|
|
# image, but the upside is we'll only catch vulnerabilities that are
|
|
# explicitly in the our dependencies
|
|
scan-type: 'fs'
|
|
scanners: 'vuln'
|
|
format: 'table'
|
|
exit-code: 1
|
|
ignore-unfixed: true
|
|
vuln-type: 'os,library'
|
|
severity: 'CRITICAL,HIGH'
|
|
trivyignores: .trivyignore
|
|
- name: Run Trivy vulnerability scanner (SARIF)
|
|
uses: aquasecurity/trivy-action@0.22.0
|
|
with:
|
|
scan-type: 'fs'
|
|
scanners: 'vuln'
|
|
# Note: The SARIF format ignores severity and uploads all vulns for
|
|
# later triage. The table-format step above is used to fail the build
|
|
# if there are any critical or high vulnerabilities.
|
|
# See https://github.com/aquasecurity/trivy-action/issues/95
|
|
format: 'sarif'
|
|
output: 'trivy-results.sarif'
|
|
ignore-unfixed: true
|
|
vuln-type: 'os,library'
|
|
trivyignores: .trivyignore
|
|
if: always() && github.repository == 'grafana/grafana'
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: 'trivy-results.sarif'
|
|
if: always() && github.repository == 'grafana/grafana'
|