-
Notifications
You must be signed in to change notification settings - Fork 247
91 lines (79 loc) · 2.87 KB
/
trivy-security-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
##
# This action runs Trivy container and repository vulnerability
# scanner for Docker images and filesystem.
##
name: trivy-security-scan
on:
repository_dispatch:
types: [trivy-scan-dispatch]
jobs:
trivy_scan:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
# Image availability check with retry logic
- name: Check Docker image availability with retry
id: check-image
if: github.event.client_payload.image != ''
run: |
image="${{ github.event.client_payload.image }}"
interval=300
retry_limit=5
attempt=0
while ! docker pull $image; do
attempt=$((attempt + 1))
if [ "$attempt" -gt "$retry_limit" ]; then
echo "::error::Image $image is not available after $retry_limit attempts."
exit 1
fi
echo "Waiting for $image to be available. Attempt $attempt/$retry_limit. Retrying in $interval seconds..."
sleep $interval
done
echo "Image $image is now available."
# Image scanning
- name: Run Trivy vulnerability scanner on image
if: github.event.client_payload.image != ''
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
with:
image-ref: ${{ github.event.client_payload.image }}
cache: 'true'
format: "sarif"
output: "trivy-image-results.sarif"
exit-code: "1"
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
env:
TRIVY_CACHE_DIR: .cache/trivy
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true
# Upload image scan results
- name: Upload Trivy image scan results
uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
with:
sarif_file: "trivy-image-results.sarif"
category: trivy-image
# Filesystem scanning
- name: Run Trivy filesystem scan
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
with:
scan-type: 'fs'
cache: 'true'
format: 'sarif'
output: 'trivy-fs-results.sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
env:
TRIVY_CACHE_DIR: .cache/trivy
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true
# Upload filesystem scan results
- name: Upload Trivy filesystem scan results
uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
with:
sarif_file: 'trivy-fs-results.sarif'
category: trivy-fs