File tree 2 files changed +55
-0
lines changed
2 files changed +55
-0
lines changed Original file line number Diff line number Diff line change 1+ name : Trivy Image Scan - Implementation
2+
3+ on :
4+ workflow_dispatch :
5+ schedule :
6+ - cron : " 0 6 * * *"
7+
8+ jobs :
9+ # TODO: calling reusable workflows works across organizations, decide where to store them and re-use in fleet-manager
10+ call-image-scan-registry :
11+ uses : ./.github/workflows/image-scan-reusable.yaml
12+ with :
13+ image : quay.io/apicurio/apicurio-registry-mem:latest-snapshot
14+ call-image-scan-tenant-manager :
15+ uses : ./.github/workflows/image-scan-reusable.yaml
16+ with :
17+ image : quay.io/apicurio/apicurio-registry-tenant-manager-api:latest-snapshot
Original file line number Diff line number Diff line change 1+ name : Trivy Image Scan
2+
3+ # Reusable workflow:
4+ # https://docs.github.com/en/actions/using-workflows/reusing-workflows#creating-a-reusable-workflow
5+ on :
6+ workflow_call :
7+ inputs :
8+ image :
9+ required : true
10+ type : string
11+
12+ # on:
13+ # workflow_dispatch:
14+ # schedule:
15+ # - cron: "0 6 * * *"
16+
17+ jobs :
18+ vulnerability-scan :
19+ name : Docker vulnerability scan
20+ runs-on : ubuntu-latest
21+ steps :
22+ - name : Checkout "${{ github.ref }}"
23+ uses : actions/checkout@v3
24+
25+ - name : Run Trivy vulnerability scanner
26+ uses : aquasecurity/trivy-action@0.6.2
27+ with :
28+ image-ref : ${{ inputs.image }}
29+ format : ' sarif'
30+ output : ' trivy-results.sarif'
31+ severity : ' CRITICAL,HIGH'
32+ vuln-type : ' os,library'
33+ ignore-unfixed : true
34+
35+ - name : Upload Trivy scan results to GitHub Security tab
36+ uses : github/codeql-action/upload-sarif@v2
37+ with :
38+ sarif_file : ' trivy-results.sarif'
You can’t perform that action at this time.
0 commit comments