updated trivy.yaml #660
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Author: Hari Sekhon | |
| # Date: 2022-02-01 13:56:31 +0000 (Tue, 01 Feb 2022) | |
| # | |
| # vim:ts=2:sts=2:sw=2:et | |
| # | |
| # https://github.com/HariSekhon/GitHub-Actions | |
| # | |
| # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback | |
| # | |
| # https://www.linkedin.com/in/HariSekhon | |
| # | |
| # https://github.com/Checkmarx/kics/blob/master/docs/integrations_ghactions.md | |
| --- | |
| name: Kics | |
| on: | |
| push: | |
| branches: | |
| - master | |
| - main | |
| ignore-paths: | |
| - '**/README.md' | |
| pull_request: | |
| branches: | |
| - master | |
| - main | |
| ignore-paths: | |
| - '**/README.md' | |
| workflow_call: | |
| # https://github.com/Checkmarx/kics-github-action#inputs | |
| inputs: | |
| path: | |
| type: string | |
| required: false | |
| default: . | |
| # https://github.com/Checkmarx/kics/blob/master/docs/configuration-file.md | |
| config: | |
| type: string | |
| required: false | |
| queries: | |
| type: string | |
| required: false | |
| fail_on: | |
| type: string | |
| required: false | |
| #default: high,medium | |
| ignore_on: | |
| type: string | |
| required: false | |
| default: results | |
| debug: | |
| type: string | |
| required: false | |
| default: false | |
| workflow_dispatch: | |
| schedule: | |
| - cron: '0 0 * * 1' | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| defaults: | |
| run: | |
| shell: bash -euxo pipefail {0} | |
| env: | |
| CONFIG: ${{ inputs.config }} | |
| CONFIG_FILE: '' | |
| DEBUG: ${{ inputs.debug == true || github.event.inputs.debug == 'true' || '' }} | |
| jobs: | |
| kics: | |
| name: Kics Scan | |
| # github.event.repository.fork isn't available in scheduled workflows | |
| # can't prevent forks of this repo, because also prevents caller workflows | |
| #if: github.repository == 'HariSekhon/Github-Actions' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Environment | |
| run: env | sort | |
| - uses: actions/checkout@v3 | |
| with: | |
| submodules: recursive # requires Git 2.18+ to be installed first | |
| - name: Set environment variable SCAN_PATH | |
| run: | | |
| if [ -n "${{inputs.path}}" ]; then | |
| echo "SCAN_PATH=${{ inputs.path }}" | |
| else | |
| echo "SCAN_PATH=." | |
| fi >> "$GITHUB_ENV" | |
| - name: Make results dir | |
| run: mkdir -pv results | |
| - name: Create Config file | |
| if: ${{ env.CONFIG }} | |
| run: | | |
| cat <<EOF >>kics.config | |
| ${{ env.CONFIG }} | |
| EOF | |
| echo "CONFIG_FILE=kics.config" >> "$GITHUB_ENV" | |
| # https://github.com/Checkmarx/kics-github-action | |
| - name: Kics Scan | |
| uses: checkmarx/kics-action@master | |
| with: | |
| path: ${{ env.SCAN_PATH }} | |
| fail_on: ${{ inputs.fail_on }} | |
| ignore_on_exit: ${{ inputs.ignore_on_exit }} | |
| output_path: results | |
| output_formats: 'json,sarif' | |
| #config_path: ${{ env.CONFIG_FILE }} | |
| queries: ${{ inputs.queries }} | |
| - name: Upload SARIF file | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: results/results.sarif | |
| # summary stats, available in the Scan output already, use this only for post-processing | |
| #- name: Display Results | |
| # run: jq . < results/results.json |