mirror of
https://github.com/grafana/grafana.git
synced 2024-11-24 09:50:29 -06:00
a115d5db03
Bumps [aquasecurity/setup-trivy](https://github.com/aquasecurity/setup-trivy) from 0.2.1 to 0.2.2. - [Release notes](https://github.com/aquasecurity/setup-trivy/releases) - [Commits](https://github.com/aquasecurity/setup-trivy/compare/v0.2.1...v0.2.2) --- updated-dependencies: - dependency-name: aquasecurity/setup-trivy dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
66 lines
2.1 KiB
YAML
66 lines
2.1 KiB
YAML
name: Trivy Scan
|
|
on:
|
|
pull_request:
|
|
# only run on PRs where go.mod/go.sum/etc have been updated
|
|
paths:
|
|
- go.*
|
|
- .github/workflows/trivy-scan.yml
|
|
push:
|
|
branches:
|
|
- main
|
|
paths:
|
|
- go.*
|
|
- .github/workflows/trivy-scan.yml
|
|
|
|
jobs:
|
|
trivy-scan:
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
- name: Install Trivy
|
|
uses: aquasecurity/setup-trivy@v0.2.2
|
|
with:
|
|
version: v0.56.2
|
|
cache: true
|
|
- name: Download Trivy DB
|
|
run: |
|
|
trivy fs --no-progress --download-db-only --db-repository public.ecr.aws/aquasecurity/trivy-db
|
|
- name: Run Trivy vulnerability scanner (table output)
|
|
# Use the trivy binary rather than the aquasecurity/trivy-action action
|
|
# to avoid a few bugs
|
|
# scan the filesystem, rather than building a Docker image prior - the
|
|
# downside is we won't catch dependencies that are only installed in the
|
|
# image, but the upside is we'll only catch vulnerabilities that are
|
|
# explicitly in the our dependencies
|
|
run: |
|
|
trivy fs \
|
|
--scanners vuln \
|
|
--format table \
|
|
--exit-code 1 \
|
|
--ignore-unfixed \
|
|
--pkg-types os,library \
|
|
--severity CRITICAL,HIGH \
|
|
--ignorefile .trivyignore \
|
|
--skip-files yarn.lock,package.json \
|
|
--skip-db-update \
|
|
.
|
|
- name: Run Trivy vulnerability scanner (SARIF)
|
|
# Use the trivy binary rather than the aquasecurity/trivy-action action
|
|
# to avoid a few bugs
|
|
run: |
|
|
trivy fs \
|
|
--scanners vuln \
|
|
--format sarif \
|
|
--output trivy-results.sarif \
|
|
--ignore-unfixed \
|
|
--pkg-types os,library \
|
|
--ignorefile .trivyignore \
|
|
--skip-db-update \
|
|
.
|
|
if: always() && github.repository == 'grafana/grafana'
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: 'trivy-results.sarif'
|
|
if: always() && github.repository == 'grafana/grafana'
|