From 07319c0c0a641e690ca9c5448d49761a67404886 Mon Sep 17 00:00:00 2001 From: Louis Christopher Date: Fri, 30 Aug 2024 10:30:17 +0530 Subject: [PATCH 1/3] Better trivy logs --- .github/workflows/trivy.yml | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index bceb5c4..b6b3b23 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -7,12 +7,14 @@ name: trivy on: push: - branches: [ "master" ] + branches: + - master pull_request: # The branches below must be a subset of the branches above - branches: [ "master" ] + branches: + - master schedule: - - cron: '27 9 * * 6' + - cron: '35 21 * * 4' permissions: contents: read @@ -24,25 +26,31 @@ jobs: security-events: write # for github/codeql-action/upload-sarif to upload SARIF results actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status name: Build - runs-on: "ubuntu-20.04" + runs-on: "ubuntu-24.04" steps: - name: Checkout code uses: actions/checkout@v4 - name: Build an image from Dockerfile run: | - docker build -t docker.io/my-organization/my-app:${{ github.sha }} . + docker build -t docker.io/atlanhq/argopm:${{ github.sha }} . - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + uses: aquasecurity/trivy-action@0.24.0 with: - image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' - format: 'template' - template: '@/contrib/sarif.tpl' + image-ref: 'docker.io/atlanhq/argopm:${{ github.sha }}' + format: 'table' + severity: 'CRITICAL,HIGH' + + - name: Generate trivy results for GitHub Security tab + uses: aquasecurity/trivy-action@0.24.0 + with: + image-ref: 'docker.io/atlanhq/argopm:${{ github.sha }}' + format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL,HIGH' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: 'trivy-results.sarif' + sarif_file: 'trivy-results.sarif' \ No newline at end of file From ed0ee020d1a653a7a4eef391dfc9fa1c670212f7 Mon Sep 17 00:00:00 2001 From: Louis Christopher Date: Fri, 30 Aug 2024 10:35:29 +0530 Subject: [PATCH 2/3] Show all issues in table format --- .github/workflows/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index b6b3b23..eb3e427 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -40,7 +40,7 @@ jobs: with: image-ref: 'docker.io/atlanhq/argopm:${{ github.sha }}' format: 'table' - severity: 'CRITICAL,HIGH' + severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' - name: Generate trivy results for GitHub Security tab uses: aquasecurity/trivy-action@0.24.0 From eaf0aa16009c8fe274f0b0bebd46d1fa676dc499 Mon Sep 17 00:00:00 2001 From: Louis Christopher Date: Fri, 30 Aug 2024 11:00:42 +0530 Subject: [PATCH 3/3] Show all issues in table format --- .github/workflows/trivy.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index eb3e427..06ecd30 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -40,7 +40,6 @@ jobs: with: image-ref: 'docker.io/atlanhq/argopm:${{ github.sha }}' format: 'table' - severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' - name: Generate trivy results for GitHub Security tab uses: aquasecurity/trivy-action@0.24.0