Trivy Security Scan #901
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Trivy Security Scan | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: 0 0 * * * # daily at midnight | |
| workflow_call: | |
| inputs: | |
| image-ref: | |
| type: string | |
| required: false | |
| description: Container Ref to be scanned by Trivy | |
| env: | |
| DOCKER_BUILDKIT: 1 | |
| COSIGN_EXPERIMENTAL: 1 | |
| jobs: | |
| trivy-repo: | |
| name: Scan repository | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write # upload security results | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get main branch SHA | |
| run: | | |
| git pull origin main:main | |
| echo "BASE_SHA=$(git merge-base --fork-point main)" | tee -a $GITHUB_ENV | |
| - name: Scan repo filesystem | |
| uses: aquasecurity/trivy-action@0.33.1 | |
| with: | |
| scan-type: fs | |
| format: sarif | |
| output: trivy-results.sarif | |
| - name: Upload scan results to GitHub Security | |
| uses: github/codeql-action/upload-sarif@v4 | |
| if: always() | |
| with: | |
| sarif_file: trivy-results.sarif | |
| ref: refs/heads/main | |
| sha: ${{ env.BASE_SHA }} | |
| trivy-docker: | |
| name: Scan container image | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write # upload security results | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get main branch SHA | |
| run: | | |
| git pull origin main:main | |
| echo "BASE_SHA=$(git merge-base --fork-point main)" | tee -a $GITHUB_ENV | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@v4.0.0 | |
| - name: Generate docker-compliant image name | |
| run: | | |
| if [[ -z "$IMAGE_REF" ]]; then | |
| echo "IMAGE_REF=$(echo ${GITHUB_REPOSITORY,,} | sed 's/docker-//'):latest" | tee -a $GITHUB_ENV | |
| else | |
| echo "IMAGE_REF=$IMAGE_REF" | tee -a $GITHUB_ENV | |
| fi | |
| env: | |
| IMAGE_REF: ${{ inputs.image-ref }} | |
| - name: Verify container images | |
| run: | | |
| cosign verify \ | |
| --certificate-oidc-issuer https://token.actions.githubusercontent.com \ | |
| --certificate-identity-regexp https://github.com/$GITHUB_REPOSITORY/.github/workflows/ \ | |
| $IMAGE_REF | |
| - name: Scan container image | |
| uses: aquasecurity/trivy-action@0.33.1 | |
| with: | |
| image-ref: ${{ env.IMAGE_REF }} | |
| format: sarif | |
| output: trivy-results.sarif | |
| - name: Upload scan results to GitHub Security | |
| uses: github/codeql-action/upload-sarif@v4 | |
| if: always() | |
| with: | |
| sarif_file: trivy-results.sarif | |
| ref: refs/heads/main | |
| sha: ${{ env.BASE_SHA }} |