Skip to content

Trivy scan

Trivy scan #1895

Workflow file for this run

# SPDX-License-Identifier: BSD-2-Clause-Patent
# Copyright (c) 2024 Intel Corporation.
name: Trivy scan
on:
workflow_dispatch:
schedule:
- cron: '0 0 * * *'
push:
branches: ["master", "release/**"]
pull_request:
branches: ["master", "release/**"]
# Declare default permissions as nothing.
permissions: {}
jobs:
scan:
name: Scan with Trivy
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Run Trivy vulnerability scanner in filesystem mode (table format)
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
with:
scan-type: 'fs'
scan-ref: '.'
trivy-config: 'utils/trivy/trivy.yaml'
- name: Prepare the report to be uploaded to the GitHub artifact store
run: |
mkdir report
cp trivy-report-daos.txt report
cp utils/trivy/.trivyignore report/trivyignore.txt
- name: Upload the report to the GitHub artifact store
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
path: report/*
name: trivy-report-daos
- name: Adjust config file to use sarif format
run: |
sed -i 's/output: "trivy-report-daos.txt"/output: "trivy-results.sarif"/g' \
utils/trivy/trivy.yaml
sed -i 's/format: template/format: sarif/g' utils/trivy/trivy.yaml
- name: Run Trivy vulnerability scanner in filesystem mode (sarif format)
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
with:
scan-type: 'fs'
scan-ref: '.'
trivy-config: 'utils/trivy/trivy.yaml'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a
# 3.25.15 (v3)
with:
sarif_file: 'trivy-results.sarif'
- name: Adjust config file to show and validate scan results
run: |
sed -i 's/output: "trivy-results.sarif"//g' utils/trivy/trivy.yaml
sed -i 's/format: sarif/format: table/g' utils/trivy/trivy.yaml
sed -i 's/exit-code: 0/exit-code: 1/g' utils/trivy/trivy.yaml
- name: Run Trivy vulnerability scanner in filesystem mode (human readable format)
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
with:
scan-type: 'fs'
scan-ref: '.'
trivy-config: 'utils/trivy/trivy.yaml'