Skip to content

Trivy Filesystem & Container Scan #140

Trivy Filesystem & Container Scan

Trivy Filesystem & Container Scan #140

Workflow file for this run

name: Trivy Filesystem & Container Scan
on:
push:
branches: [main]
schedule:
- cron: "0 2 * * *"
permissions:
contents: read
jobs:
trivy-fs-scan:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- name: Install Trivy CLI
uses: aquasecurity/setup-trivy@e07451d2e059ed86c2870430ea286b3a9e0bf241
with:
version: v0.69.3
- name: Run Trivy filesystem scan
run: trivy fs --severity HIGH,CRITICAL --exit-code 1 --format sarif --output trivy-fs-results.sarif .
- name: Check Trivy filesystem SARIF exists
id: check-trivy-fs
run: |
if [ -f trivy-fs-results.sarif ]; then
echo "exists=true" >> "$GITHUB_OUTPUT"
else
echo "exists=false" >> "$GITHUB_OUTPUT"
fi
- name: Upload Trivy filesystem SARIF to GitHub Security
if: steps.check-trivy-fs.outputs.exists == 'true'
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-fs-results.sarif
trivy-image-scan:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- uses: actions/checkout@v4
- name: Build Docker image for scanning
run: docker build -t dam-app:ci .
- name: Install Trivy CLI
uses: aquasecurity/setup-trivy@e07451d2e059ed86c2870430ea286b3a9e0bf241
with:
version: v0.69.3
- name: Run Trivy container image scan
run: trivy image --scanners vuln --severity CRITICAL --exit-code 1 --format sarif --output trivy-image-results.sarif dam-app:ci
- name: Check Trivy image SARIF exists
id: check-trivy-image
run: |
if [ -f trivy-image-results.sarif ]; then
echo "exists=true" >> "$GITHUB_OUTPUT"
else
echo "exists=false" >> "$GITHUB_OUTPUT"
fi
- name: Upload Trivy image SARIF to GitHub Security
if: steps.check-trivy-image.outputs.exists == 'true'
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-image-results.sarif