Skip to content

Trivy #1274

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 23, 2025
Merged

Trivy #1274

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
976c4f3
adds Trivy action
kkartunov Oct 23, 2025
595c11c
on main & dev
kkartunov Oct 23, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 30 additions & 0 deletions .github/workflows/trivy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: Trivy Scanner
on:
push:
branches:
- main
- dev
pull_request:
jobs:
trivy-scan:
name: Use Trivy
runs-on: ubuntu-24.04
Copy link

@github-actions github-actions bot Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[⚠️ maintainability]
Consider using a more stable version of Ubuntu, such as ubuntu-latest, to ensure compatibility and reduce maintenance overhead when newer versions are released.

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Run Trivy scanner in repo mode
uses: aquasecurity/trivy-action@0.33.1
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH,UNKNOWN'
Copy link

@github-actions github-actions bot Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[⚠️ security]
Including UNKNOWN severity might lead to noisy results. Ensure that this is intentional and necessary for your security policy.

scanners: vuln,secret,misconfig,license
github-pat: ${{ secrets.GITHUB_TOKEN }}

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
Copy link

@github-actions github-actions bot Oct 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[💡 style]
Ensure that the SARIF file path is correct and accessible. A missing newline at the end of the file might cause issues in some systems.

Comment on lines +10 to +30

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}

Copilot Autofix

AI 22 days ago

To fix the problem, add the permissions block for the trivy-scan job (or for the root workflow if you want all jobs to inherit it). This block should enumerate the specific minimal permissions required for the current job steps:

  • contents: read is required by nearly all workflows to fetch and check out code.
  • security-events: write is needed to upload SARIF results to the GitHub Security tab using codeql-action/upload-sarif.

Add:

permissions:
  contents: read
  security-events: write

to the trivy-scan job definition, directly below runs-on. This ensures GITHUB_TOKEN has only these two permissions during job execution.

No external methods or imports are required; it's a YAML block edit.

Suggested changeset 1
.github/workflows/trivy.yaml

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml
--- a/.github/workflows/trivy.yaml
+++ b/.github/workflows/trivy.yaml
@@ -9,6 +9,9 @@
   trivy-scan:
     name: Use Trivy
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      security-events: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
EOF
@@ -9,6 +9,9 @@
trivy-scan:
name: Use Trivy
runs-on: ubuntu-24.04
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@v4
Copilot is powered by AI and may make mistakes. Always verify output.