From c3c24a106b45d77d1e6219fa79ec163059fb7dc8 Mon Sep 17 00:00:00 2001 From: Niklas Date: Sat, 30 Mar 2024 11:26:10 +0100 Subject: [PATCH] Add Trivy misconfig scan to CI (#1) Signed-off-by: nscuro --- .github/workflows/helm-ci.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/.github/workflows/helm-ci.yml b/.github/workflows/helm-ci.yml index 2b94ed0..0354930 100644 --- a/.github/workflows/helm-ci.yml +++ b/.github/workflows/helm-ci.yml @@ -4,10 +4,14 @@ on: push: branches: - main + paths: + - .github/workflows/** + - charts/** pull_request: branches: - main paths: + - .github/workflows/** - charts/** permissions: { } @@ -20,6 +24,8 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1 + with: + fetch-depth: "0" - name: Set up Helm uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # tag=v3.5 - name: Set up Python @@ -31,6 +37,16 @@ jobs: uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # tag=v2.6.1 - name: Lint Chart run: ct lint --config ct.yaml + - name: Scan for Misconfiguration + uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # tag=v0.19.0 + with: + scan-type: config + format: sarif + output: misconfig.sarif + - name: Upload Misconfiguration Scan Results + uses: github/codeql-action/upload-sarif@956f09c2ef1926b580554b9014cfb8a51abf89dd # tag=codeql-bundle-v2.16.6 + with: + sarif_file: misconfig.sarif test: name: Test @@ -39,6 +55,8 @@ jobs: steps: - name: Checkout Repository uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1 + with: + fetch-depth: "0" - name: Set up Helm uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # tag=v3.5 - name: Set up Python