Add Trivy misconfig scan to CI (#1)

Signed-off-by: nscuro <[email protected]>
DependencyTrack · Mar 30, 2024 · c3c24a1 · c3c24a1
1 parent bee0509
commit c3c24a1
Showing 1 changed file with 18 additions and 0 deletions.
diff --git a/.github/workflows/helm-ci.yml b/.github/workflows/helm-ci.yml
@@ -4,10 +4,14 @@ on:
   push:
     branches:
     - main
+    paths:
+    - .github/workflows/**
+    - charts/**
   pull_request:
     branches:
     - main
     paths:
+    - .github/workflows/**
     - charts/**
 
 permissions: { }
@@ -20,6 +24,8 @@ jobs:
     steps:
     - name: Checkout Repository
       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
+      with:
+        fetch-depth: "0"
     - name: Set up Helm
       uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # tag=v3.5
     - name: Set up Python
@@ -31,6 +37,16 @@ jobs:
       uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # tag=v2.6.1
     - name: Lint Chart
       run: ct lint --config ct.yaml
+    - name: Scan for Misconfiguration
+      uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # tag=v0.19.0
+      with:
+        scan-type: config
+        format: sarif
+        output: misconfig.sarif
+    - name: Upload Misconfiguration Scan Results
+      uses: github/codeql-action/upload-sarif@956f09c2ef1926b580554b9014cfb8a51abf89dd # tag=codeql-bundle-v2.16.6
+      with:
+        sarif_file: misconfig.sarif
 
   test:
     name: Test
@@ -39,6 +55,8 @@ jobs:
     steps:
     - name: Checkout Repository
       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
+      with:
+        fetch-depth: "0"
     - name: Set up Helm
       uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # tag=v3.5
     - name: Set up Python