diff --git a/.github/workflows/scan-code-trivy.yaml b/.github/workflows/scan-code-trivy.yaml new file mode 100644 index 0000000000..eb2746cde4 --- /dev/null +++ b/.github/workflows/scan-code-trivy.yaml @@ -0,0 +1,37 @@ +name: Trivy Scan Code + +on: + workflow_call: + +concurrency: + group: callee-trivy-${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + trivy-scan-code: + runs-on: ubuntu-latest + timeout-minutes: 60 + steps: + - name: Checkout code + uses: actions/checkout@v3 + - name: Cache Scan Dependencies + uses: actions/cache@v3 + with: + path: ~/.cache/trivy + key: callee-trivy-${{ github.workflow }}-${{ github.run_id }} + restore-keys: trivy- + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@master + with: + scan-type: fs + format: sarif + output: trivy-results.sarif + exit-code: "0" + ignore-unfixed: false + severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL + timeout: 10m0s + - name: Upload Trivy scan results as artifact + uses: actions/upload-artifact@v2 + with: + name: trivy-results + path: trivy-results.sarif diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index be68a9b9e7..7d60d871e9 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -146,12 +146,12 @@ jobs: run: | rm -rf /tmp/.buildx-cache mv /tmp/.buildx-cache-new /tmp/.buildx-cache - trivy-image-scan: - needs: docker-build - uses: bcgov/pipeline-templates/.github/workflows/trivy-container.yaml@main - with: - IMAGE: gregnrobinson/bcgov-nginx-demo - TAG: latest + # trivy-image-scan: + # needs: docker-build + # uses: bcgov/pipeline-templates/.github/workflows/trivy-container.yaml@main + # with: + # IMAGE: gregnrobinson/bcgov-nginx-demo + # TAG: latest # sonar-repo-scan: # uses: bcgov/pipeline-templates/.github/workflows/sonar-scanner.yaml@main # with: diff --git a/.github/workflows/trivy-container.yaml b/.github/workflows/trivy-container.yaml deleted file mode 100644 index 196808de77..0000000000 --- a/.github/workflows/trivy-container.yaml +++ /dev/null @@ -1,24 +0,0 @@ -# name: trivy-image-scan -# on: -# workflow_call: -# inputs: -# TAG: -# required: true -# type: string -# IMAGE: -# required: true -# type: string -# jobs: -# trivy-image-scan: -# runs-on: ubuntu-latest -# timeout-minutes: 60 -# steps: -# - name: Trivy Vulnerability Scan -# uses: aquasecurity/trivy-action@master -# with: -# image-ref: ${{ inputs.IMAGE }}:${{ inputs.TAG }} -# format: table -# exit-code: '0' -# ignore-unfixed: true -# vuln-type: os,library -# severity: CRITICAL diff --git a/.github/workflows/trivy-repo.yaml b/.github/workflows/trivy-repo.yaml deleted file mode 100644 index 0a1fd13837..0000000000 --- a/.github/workflows/trivy-repo.yaml +++ /dev/null @@ -1,37 +0,0 @@ -name: trivy-repo-scan -on: - push: - # branches: [main] - pull_request: - # The branches below must be a subset of the branches above - # branches: [main] - schedule: - - cron: "19 23 * * 5" -# on: -# push: -# branches: -# - main -# pull_request: -# workflow_call: -jobs: - tricy-repo-scan: - name: trivy-repo-scan - runs-on: ubuntu-20.04 - steps: - - name: Checkout code - uses: actions/checkout@v2 - - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@master - with: - scan-type: "fs" - ignore-unfixed: true - format: "template" - template: "@/contrib/sarif.tpl" - output: "trivy-results.sarif" - severity: "CRITICAL" - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v1 - with: - sarif_file: "trivy-results.sarif"