Trivy Filesystem & Container Scan #133
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Trivy Filesystem & Container Scan | |
| on: | |
| push: | |
| branches: [main] | |
| schedule: | |
| - cron: "0 2 * * *" | |
| permissions: | |
| contents: read | |
| jobs: | |
| trivy-fs-scan: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install Trivy CLI | |
| uses: aquasecurity/setup-trivy@e07451d2e059ed86c2870430ea286b3a9e0bf241 | |
| with: | |
| version: v0.69.3 | |
| - name: Run Trivy filesystem scan | |
| run: trivy fs --severity HIGH,CRITICAL --exit-code 1 --format sarif --output trivy-fs-results.sarif . | |
| - name: Check Trivy filesystem SARIF exists | |
| id: check-trivy-fs | |
| run: | | |
| if [ -f trivy-fs-results.sarif ]; then | |
| echo "exists=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "exists=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Upload Trivy filesystem SARIF to GitHub Security | |
| if: steps.check-trivy-fs.outputs.exists == 'true' | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: trivy-fs-results.sarif | |
| trivy-image-scan: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Build Docker image for scanning | |
| run: docker build -t dam-app:ci . | |
| - name: Install Trivy CLI | |
| uses: aquasecurity/setup-trivy@e07451d2e059ed86c2870430ea286b3a9e0bf241 | |
| with: | |
| version: v0.69.3 | |
| - name: Run Trivy container image scan | |
| run: trivy image --scanners vuln --severity CRITICAL --exit-code 1 --format sarif --output trivy-image-results.sarif dam-app:ci | |
| - name: Check Trivy image SARIF exists | |
| id: check-trivy-image | |
| run: | | |
| if [ -f trivy-image-results.sarif ]; then | |
| echo "exists=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "exists=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Upload Trivy image SARIF to GitHub Security | |
| if: steps.check-trivy-image.outputs.exists == 'true' | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: trivy-image-results.sarif |