diff --git a/.github/workflows/sec-checks.yaml b/.github/workflows/sec-checks.yaml index d732efd581e..6e1f1aa13d9 100644 --- a/.github/workflows/sec-checks.yaml +++ b/.github/workflows/sec-checks.yaml @@ -16,20 +16,20 @@ jobs: with: scan-type: 'fs' ignore-unfixed: true - format: 'json' - output: './results.json' + format: 'table' + output: './results.txt' severity: 'CRITICAL,HIGH,MEDIUM,LOW' exit-code: '1' # trivy-config: trivy.yaml - name: Inspect action report if: always() - run: cat ./results.json + run: cat ./results.txt - name: Upload artifact if: always() uses: actions/upload-artifact@v4 with: name: trivy-fs-scan-results - path: ./results.json + path: ./results.txt trivy-docker-image: name: Trivy docker image scan runs-on: ubuntu-latest @@ -63,21 +63,21 @@ jobs: image-ref: kics:sec-trivy-tests-${{ github.sha }} ignore-unfixed: true vuln-type: 'os,library' - format: 'json' - output: './results.json' + format: 'table' + output: './results.txt' severity: 'CRITICAL,HIGH,MEDIUM,LOW' ignore-policy: './trivy-ignore.rego' # trivy-config: trivy.image.yaml exit-code: '1' - name: Inspect action report if: always() - run: cat ./results.json + run: cat ./results.txt - name: Upload artifact if: always() uses: actions/upload-artifact@v4 with: name: trivy-docker-image-scan-results - path: ./results.json + path: ./results.txt grype-file-system: name: Grype fs scan runs-on: ubuntu-latest @@ -90,18 +90,9 @@ jobs: with: path: "." only-fixed: true - output-format: json + output-format: table severity-cutoff: low fail-build: true - - name: Inspect action report - if: always() - run: cat ${{ steps.grype-fs-scan.outputs.json }} - - name: Upload artifact - if: always() - uses: actions/upload-artifact@v4 - with: - name: grype-fs-scan-results - path: ${{ steps.grype-fs-scan.outputs.json }} grype-docker-image: name: Grype docker image scan runs-on: ubuntu-latest @@ -138,17 +129,8 @@ jobs: image: kics:sec-tests-${{ github.sha }} only-fixed: true severity-cutoff: low - output-format: json + output-format: table fail-build: true - - name: upload artifact - if: always() - uses: actions/upload-artifact@v4 - with: - name: grype-docker-image-scan-results - path: ${{ steps.grype-image-scan.outputs.json }} - - name: Inspect action report - if: always() - run: cat ${{ steps.grype-image-scan.outputs.json }} govulncheck-file-system: runs-on: ubuntu-latest name: govulncheck fs scan diff --git a/.grype.yaml b/.grype.yaml index 1e526650ca5..0db478fb086 100644 --- a/.grype.yaml +++ b/.grype.yaml @@ -1,4 +1,5 @@ ignore: + - vulnerability: GHSA-4v7x-pqxf-cx7m # False Positive - package: name: anchore/scan-action - package: diff --git a/docs/queries/cicd-queries/555ab8f9-2001-455e-a077-f2d0f41e2fb9.md b/docs/queries/cicd-queries/555ab8f9-2001-455e-a077-f2d0f41e2fb9.md index 0e4cd13cfdf..0bf329f5582 100644 --- a/docs/queries/cicd-queries/555ab8f9-2001-455e-a077-f2d0f41e2fb9.md +++ b/docs/queries/cicd-queries/555ab8f9-2001-455e-a077-f2d0f41e2fb9.md @@ -83,4 +83,19 @@ jobs: with: persist-credentials: false -``` \ No newline at end of file +``` +```yaml title="Negative test num. 3 - yaml file" +name: test-negative3 +on: + pull_request: + types: [opened, synchronize, edited, reopened] + branches: + - master +jobs: + test-negative3: + runs-on: ubuntu-latest + steps: + - name: Local action + uses: ./test.yml + +```