forked from openebs/rawfile-localpv
-
Notifications
You must be signed in to change notification settings - Fork 1
115 lines (112 loc) · 3.67 KB
/
trivy.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
name: Trivy
on:
pull_request: # todo remove before merge
schedule:
- cron: '0 10 * * *'
jobs:
# list-branches-to-scan:
# runs-on: ubuntu-latest
# outputs:
# branches: ${{ steps.branches.outputs.branches }}
# steps:
# - name: Checking out repo
# uses: actions/checkout@v4
# with:
# fetch-depth: 0
# - name: List branches to scan
# id: branches
# run: |
# # regex matches branches like
# # origin/1.28
# # origin/v1.1
# # origin/release-1.30
# # origin/master
# # origin/main
# BRANCHES=$(git branch -r | grep -E '^ origin\/(((v|release-)?[0-9]+.[0-9]+)|(master|main))$' | \
# sed -e 's#^ origin/##' | jq -R -s -c 'split("\n")[:-1]')
# echo "branches=$(echo $BRANCHES)" >> $GITHUB_OUTPUT
# scan-fs:
# runs-on: ubuntu-latest
# needs: list-branches-to-scan
# strategy:
# matrix:
# branch: ${{ fromJson(needs.list-branches-to-scan.outputs.branches) }}
# permissions:
# security-events: write
# steps:
# - name: Checking out repo
# uses: actions/checkout@v4
# with:
# ref: ${{ matrix.branch }}
# fetch-depth: 0
# - name: Run Trivy vulnerability scanner in repo mode
# uses: aquasecurity/[email protected]
# with:
# scan-type: "fs"
# ignore-unfixed: true
# format: "sarif"
# output: "output.sarif"
# severity: "MEDIUM,HIGH,CRITICAL"
# env:
# TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db"
# - name: Get commit sha
# run: |
# SHA="$(git rev-parse HEAD)"
# echo "head_sha=$SHA" >> "$GITHUB_ENV"
# - name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v3
# with:
# sarif_file: "output.sarif"
# sha: ${{ env.head_sha }}
# ref: refs/heads/${{ matrix.branch }}
scan-container:
runs-on: ubuntu-latest
# needs: list-branches-to-scan
# strategy:
# matrix:
# branch: ${{ fromJson(needs.list-branches-to-scan.outputs.branches) }}
permissions:
security-events: write
steps:
# - name: Checking out repo
# uses: actions/checkout@v4
# with:
# ref: ${{ matrix.branch }}
# fetch-depth: 0
- uses: actions/github-script@v7
id: read-tag
with:
script: |
const { data: packages } = await octokit.rest.packages.getAllPackageVersionsForPackageOwnedByOrg({
package_type,
package_name,
org,
per_page,
});
let container_tag=packages[0].metadata.container.tags[0]
return container_tag
result-encoding: string
- name: Get commit sha
run: |
echo "ghcr.io/${{ github.repository }}:${{steps.read-tag.outputs.result}}"
# - name: Run Trivy vulnerability scanner in image mode
# uses: aquasecurity/[email protected]
# with:
# scan-type: "image"
# image-ref:
# ignore-unfixed: true
# format: "sarif"
# output: "output.sarif"
# severity: "MEDIUM,HIGH,CRITICAL"
# env:
# TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db"
# - name: Get commit sha
# run: |
# SHA="$(git rev-parse HEAD)"
# echo "head_sha=$SHA" >> "$GITHUB_ENV"
# - name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v3
# with:
# sarif_file: "output.sarif"
# sha: ${{ env.head_sha }}
# ref: refs/heads/${{ matrix.branch }}