ci: try trivy scanner

DeadNews · Sep 15, 2023 · c418efc · c418efc
1 parent 45df7c9
commit c418efc
Showing 1 changed file with 7 additions and 10 deletions.
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -75,20 +75,17 @@ jobs:
         run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
 
       # Analyze vulnerabilities
-      - name: Analyze for critical and high CVEs
-        id: docker-scout-cves
+      - name: Run Trivy vulnerability scanner
         if: ${{ github.event_name != 'pull_request' }}
-        uses: docker/scout-action@64ca6fb5e6ada64f5febd1a991b499900b29faf0 # v0.23.4
+        uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # v0.12.0
         with:
-          command: cves
-          image: ${{ steps.meta.outputs.tags }}
-          sarif-file: sarif.output.json
-          summary: true
+          image-ref: ${{ steps.meta.outputs.tags }}
+          format: "sarif"
+          output: "trivy-results.sarif"
 
       # Upload report to GitHub code scanning
-      - name: Upload SARIF result
-        id: upload-sarif
+      - name: Upload Trivy scan results to GitHub Security tab
         if: ${{ github.event_name != 'pull_request' }}
         uses: github/codeql-action/upload-sarif@v2
         with:
-          sarif_file: sarif.output.json
+          sarif_file: "trivy-results.sarif"