public/grafana
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ac41c193508ac514b85ebafa15442df583fa0992
grafana/.github/workflows/trivy-scan.yml
Mariell Hoversholm 4fb7b47971 Trivy: Document Vulnerability Observability (#99414) 
We use Vulnerability Observability for Docker images. The current comments say we simply don't scan them at all, so
let's make it clear for future readers that we do, in fact, scan Docker images, too.
2025-01-23 11:02:23 +01:00

69 lines
2.3 KiB
YAML
Raw Blame History

name: Trivy Scan
on:
pull_request:
# only run on PRs where go.mod/go.sum/etc have been updated
paths:
- go.*
- .github/workflows/trivy-scan.yml
push:
branches:
- main
paths:
- go.*
- .github/workflows/trivy-scan.yml
jobs:
trivy-scan:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- name: Install Trivy
uses: aquasecurity/setup-trivy@v0.2.2
with:
version: v0.56.2
cache: true
- name: Download Trivy DB
run: |
trivy fs --no-progress --download-db-only --db-repository public.ecr.aws/aquasecurity/trivy-db
- name: Run Trivy vulnerability scanner (table output)
# Use the trivy binary rather than the aquasecurity/trivy-action action
# to avoid a few bugs.
#
# We scan the file system rather than building the Docker image to only scan
# our direct dependencies. The Docker images are still scanned by
# Vulnerability Observability:
# - OSS: https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/projects/sources/1
# - Enterprise: https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/projects/sources/12
# (If these links are outdated, just go to the list and find the images manually.)
run: |
trivy fs \
--scanners vuln \
--format table \
--exit-code 1 \
--ignore-unfixed \
--pkg-types os,library \
--severity CRITICAL,HIGH \
--ignorefile .trivyignore \
--skip-files yarn.lock,package.json \
--skip-db-update \
.
- name: Run Trivy vulnerability scanner (SARIF)
# Use the trivy binary rather than the aquasecurity/trivy-action action
# to avoid a few bugs
run: |
trivy fs \
--scanners vuln \
--format sarif \
--output trivy-results.sarif \
--ignore-unfixed \
--pkg-types os,library \
--ignorefile .trivyignore \
--skip-db-update \
.
if: always() && github.repository == 'grafana/grafana'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
if: always() && github.repository == 'grafana/grafana'
Reference in New Issue View Git Blame Copy Permalink