Skip to content

Trivy

Trivy #374

Workflow file for this run

name: Trivy
on:
push:
branches: [main]
pull_request:
branches: [main]
schedule:
- cron: "19 7 * * 0"
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
jobs:
build:
strategy:
matrix:
target: [aws, gcp, azure]
platform: [linux/amd64, linux/arm64]
name: Analyze
runs-on: ubuntu-latest
env:
IMAGE_TAG: spacelift-${{ matrix.target }}:${{ github.sha }}
steps:
- name: Checkout code
uses: actions/checkout@main
- name: Set up QEMU
if: matrix.platform == 'linux/arm64'
uses: docker/setup-qemu-action@v3
with:
platforms: linux/arm64
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Bake the image
uses: docker/bake-action@v4
with:
targets: ${{ matrix.target }}
load: true
set: |
${{ matrix.target }}.tags=${{ env.IMAGE_TAG }}
${{ matrix.target }}.platform=${{ matrix.platform }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: ${{ env.IMAGE_TAG }}
format: "sarif"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"
timeout: "10m"
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "trivy-results.sarif"