mirror of
https://github.com/intel/intel-device-plugins-for-kubernetes.git
synced 2025-06-03 03:59:37 +00:00
8ab7b23380
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.11 to 3.25.12.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](b611370bb5...4fa2a79536)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
133 lines
4.0 KiB
YAML
133 lines
4.0 KiB
YAML
name: trivy
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
upload-to-github-security-tab:
|
|
default: false
|
|
required: false
|
|
type: boolean
|
|
export-csv:
|
|
default: false
|
|
required: false
|
|
type: boolean
|
|
deployments:
|
|
default: true
|
|
required: false
|
|
type: boolean
|
|
dockerfiles:
|
|
default: true
|
|
required: false
|
|
type: boolean
|
|
|
|
permissions:
|
|
actions: read
|
|
contents: read
|
|
|
|
jobs:
|
|
trivy-scan-deployments:
|
|
name: Scan deployments
|
|
if: ${{ inputs.deployments }}
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
|
|
- name: Run Trivy in config mode for deployments
|
|
uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
|
|
with:
|
|
scan-type: config
|
|
scan-ref: deployments/
|
|
exit-code: 1
|
|
severity: CRITICAL,HIGH
|
|
# When trivy-action starts supporting this, use it instead of .trivyaction
|
|
# https://github.com/aquasecurity/trivy-action/issues/284
|
|
#ignorefile: .trivyignore.yaml
|
|
|
|
trivy-scan-dockerfiles:
|
|
name: Scan Dockerfiles
|
|
if: ${{ inputs.dockerfiles }}
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
|
|
- name: Run Trivy in config mode for dockerfiles
|
|
uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
|
|
with:
|
|
scan-type: config
|
|
scan-ref: build/docker/
|
|
exit-code: 1
|
|
severity: CRITICAL,HIGH
|
|
|
|
trivy-scan-licenses:
|
|
runs-on: ubuntu-22.04
|
|
name: Scan licenses
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
|
|
- name: Run Trivy in fs mode
|
|
uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
|
|
with:
|
|
scan-type: fs
|
|
scan-ref: .
|
|
exit-code: 1
|
|
scanners: license
|
|
severity: "UNKNOWN,MEDIUM,HIGH,CRITICAL"
|
|
|
|
trivy-scan-vulns:
|
|
permissions:
|
|
security-events: write
|
|
runs-on: ubuntu-22.04
|
|
name: Scan vulnerabilities
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
|
|
- name: Run Trivy in fs mode
|
|
continue-on-error: true
|
|
uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
|
|
with:
|
|
scan-type: fs
|
|
scan-ref: .
|
|
exit-code: 1
|
|
list-all-pkgs: true
|
|
format: json
|
|
output: trivy-report.json
|
|
- name: Show report in human-readable format
|
|
uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
|
|
with:
|
|
scan-type: convert
|
|
vuln-type: ''
|
|
severity: ''
|
|
image-ref: trivy-report.json
|
|
format: table
|
|
- name: Convert report to sarif
|
|
if: ${{ inputs.upload-to-github-security-tab }}
|
|
uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
|
|
with:
|
|
scan-type: convert
|
|
vuln-type: ''
|
|
severity: ''
|
|
image-ref: trivy-report.json
|
|
format: sarif
|
|
output: trivy-report.sarif
|
|
- name: Upload sarif report to GitHub Security tab
|
|
if: ${{ inputs.upload-to-github-security-tab }}
|
|
uses: github/codeql-action/upload-sarif@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3
|
|
with:
|
|
sarif_file: trivy-report.sarif
|
|
- name: Convert report to csv
|
|
if: ${{ inputs.export-csv }}
|
|
uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
|
|
with:
|
|
scan-type: convert
|
|
vuln-type: ''
|
|
severity: ''
|
|
image-ref: trivy-report.json
|
|
format: template
|
|
template: "@.github/workflows/template/trivy-csv.tpl"
|
|
output: trivy-report.csv
|
|
- name: Upload CSV report as an artifact
|
|
if: ${{ inputs.export-csv }}
|
|
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4
|
|
with:
|
|
name: trivy-report
|
|
path: trivy-report.csv
|