Skip to content

scan_vulns

scan_vulns #161

Workflow file for this run

name: scan_vulns
on:
push:
paths-ignore:
- "docs/**"
- "library/**"
- "**.md"
pull_request:
paths-ignore:
- "docs/**"
- "library/**"
- "**.md"
schedule:
- cron: "30 8 * * 0" # early morning (08:30 UTC) every Sunday
workflow_dispatch:
permissions: read-all
jobs:
govulncheck:
name: "Run govulncheck"
runs-on: ubuntu-22.04
timeout-minutes: 15
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: "1.22"
check-latest: true
- uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
scan_vulnerabilities:
name: "[Trivy] Scan for vulnerabilities"
runs-on: ubuntu-22.04
timeout-minutes: 15
env:
TRIVY_VERSION: v0.49.1
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- name: Check out code into the Go module directory
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871
- name: Manual Trivy Setup
uses: aquasecurity/setup-trivy@eadb05c36f891dc855bba00f67174a1e61528cd4 # v0.2.1
with:
cache: true
version: ${{ env.TRIVY_VERSION }}
- name: Run trivy on git repository
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
with:
scan-type: 'fs'
scan-ref: '.'
ignore-unfixed: true
scanners: 'vuln'
version: ${{ env.TRIVY_VERSION }}
- name: Build docker images
run: |
make e2e-build-local-ratify-image
make e2e-build-crd-image
- name: Run Trivy vulnerability scanner on localbuild:test
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
with:
scan-type: 'image'
image-ref: 'localbuild:test'
ignore-unfixed: true
version: ${{ env.TRIVY_VERSION }}
- name: Run Trivy vulnerability scanner on localbuildcrd:test
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
with:
scan-type: 'image'
image-ref: 'localbuildcrd:test'
ignore-unfixed: true
version: ${{ env.TRIVY_VERSION }}
- name: Run Trivy vulnerability scanner on localbuild:test and exit on HIGH severity
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
with:
scan-type: 'image'
image-ref: 'localbuild:test'
ignore-unfixed: true
severity: 'HIGH,CRITICAL'
exit-code: '1'
version: ${{ env.TRIVY_VERSION }}
- name: Run Trivy vulnerability scanner on localbuildcrd:test and exit on HIGH severity
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # 0.28.0
with:
scan-type: 'image'
image-ref: 'localbuildcrd:test'
ignore-unfixed: true
severity: 'HIGH,CRITICAL'
exit-code: '1'
version: ${{ env.TRIVY_VERSION }}