IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

ci(trivy): Use non-default DB registry to avoid rate limits (#95434)

Browse Source 
Signed-off-by: Dave Henderson <dave.henderson@grafana.com>
This commit is contained in:
Dave Henderson 2024-10-25 15:12:41 -04:00 committed by GitHub
parent fd99b82f78
commit 0880329796
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 38 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
.github/workflows/trivy-scan.yml vendored
View File

@ -17,39 +17,46 @@ jobs:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner (table output) - name: Install Trivy
uses: aquasecurity/trivy-action@0.28.0 uses: aquasecurity/setup-trivy@v0.2.1
with: with:
version: v0.56.2
cache: true
- name: Download Trivy DB
run: |
trivy fs --no-progress --download-db-only --db-repository public.ecr.aws/aquasecurity/trivy-db
- name: Run Trivy vulnerability scanner (table output)
# Use the trivy binary rather than the aquasecurity/trivy-action action
# to avoid a few bugs
# scan the filesystem, rather than building a Docker image prior - the # scan the filesystem, rather than building a Docker image prior - the
# downside is we won't catch dependencies that are only installed in the # downside is we won't catch dependencies that are only installed in the
# image, but the upside is we'll only catch vulnerabilities that are # image, but the upside is we'll only catch vulnerabilities that are
# explicitly in the our dependencies # explicitly in the our dependencies
scan-type: 'fs' run: |
scanners: 'vuln' trivy fs \
format: 'table' --scanners vuln \
exit-code: 1 --format table \
ignore-unfixed: true --exit-code 1 \
vuln-type: 'os,library' --ignore-unfixed \
severity: 'CRITICAL,HIGH' --pkg-types os,library \
trivyignores: .trivyignore --severity CRITICAL,HIGH \
# for the PR check, ignore JS-related issues --ignorefile .trivyignore \
skip-files: 'yarn.lock,package.json' --skip-files yarn.lock,package.json \
--skip-db-update \
.
- name: Run Trivy vulnerability scanner (SARIF) - name: Run Trivy vulnerability scanner (SARIF)
# Note: versions 0.27.0 and 0.28.0 are broken for SARIF output, but it's # Use the trivy binary rather than the aquasecurity/trivy-action action
# unclear why - worth testing again in the future # to avoid a few bugs
uses: aquasecurity/trivy-action@0.26.0 run: |
with: trivy fs \
scan-type: 'fs' --scanners vuln \
scanners: 'vuln' --format sarif \
# Note: The SARIF format ignores severity and uploads all vulns for --output trivy-results.sarif \
# later triage. The table-format step above is used to fail the build --ignore-unfixed \
# if there are any critical or high vulnerabilities. --pkg-types os,library \
# See https://github.com/aquasecurity/trivy-action/issues/95 --ignorefile .trivyignore \
format: 'sarif' --skip-db-update \
output: 'trivy-results.sarif' .
ignore-unfixed: true
vuln-type: 'os,library'
trivyignores: .trivyignore
if: always() && github.repository == 'grafana/grafana' if: always() && github.repository == 'grafana/grafana'
- name: Upload Trivy scan results to GitHub Security tab - name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3 uses: github/codeql-action/upload-sarif@v3