Skip to content
trivy-pr-scan

Sorted lists for json serialization for parser and annotator outputs DUG-408 #22

Sign in to view logs

Sorted lists for json serialization for parser and annotator outputs DUG-408

Sorted lists for json serialization for parser and annotator outputs DUG-408 #22

Workflow file for this run

.github/workflows/trivy-pr-scan.yml at ef0b74d
name: trivy-pr-scan
on:
pull_request:
branches:
- develop
- master
- main
types: [ opened, synchronize ]
paths-ignore:
- README.md
- .old_cicd/*
- .github/*
- .github/workflows/*
- LICENSE
- .gitignore
- .dockerignore
- .githooks
jobs:
trivy-pr-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: |
network=host
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
logout: true
# Notes on Cache:
# https://docs.docker.com/build/ci/github-actions/examples/#inline-cache
- name: Build Container
uses: docker/build-push-action@v5
with:
context: .
push: false
load: true
tags: ${{ github.repository }}:vuln-test
cache-from: type=registry,ref=${{ github.repository }}:buildcache
cache-to: type=registry,ref=${{ github.repository }}:buildcache,mode=max
# We will not be concerned with Medium and Low vulnerabilities
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: '${{ github.repository }}:vuln-test'
format: 'sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
output: 'trivy-results.sarif'
exit-code: '1'
# Scan results should be viewable in GitHub Security Dashboard
# We still fail the job if results are found, so below will always run
# unless manually canceled.
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: '!cancelled()'
with:
sarif_file: 'trivy-results.sarif'