[CI] Add Trivy workflow

This patch adds a workflow to perform trivy check as required by our public release policy.
intel · Jan 30, 2025 · 67241e2 · 67241e2
1 parent adeaea8
commit 67241e2
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 0 deletions.
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -0,0 +1,35 @@
+# This workflow performs trivy check of docker config files.
+# It triggers only on pushs to devops/containers.
+# For more info: https://github.com/aquasecurity/trivy-action
+
+name: Trivy
+
+on:
+  push:
+    paths:
+      - 'devops/containers/**'
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Trivy
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          sparse-checkout: devops
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: 'config'
+          scan-ref: devops/containers
+          trivyignores: devops/.trivyignore.txt
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/devops/.trivyignore.txt b/devops/.trivyignore.txt
@@ -0,0 +1,3 @@
+misconfigurations:
+  - id: AVD-DS-0026
+    statement: "Our containers do not provide running services, but only preinstalled tools, there is not much value in adding HEALTHCHECK directives"