trivy #143
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: trivy | |
| on: | |
| # runs on default branch | |
| workflow_dispatch: | |
| schedule: | |
| - cron: '0 22 * * 0' # each Monday at 9am AEST+10 / 10am AEDT+11 | |
| permissions: | |
| id-token: write | |
| security-events: write | |
| contents: read | |
| actions: write | |
| jobs: | |
| trivy-prod: | |
| name: Trivy check | |
| runs-on: ubuntu-latest | |
| environment: trivy | |
| env: | |
| # BUILDKIT_PROGRESS: plain | |
| CLOUDSDK_CORE_DISABLE_PROMPTS: 1 | |
| DOCKER_IMAGE: australia-southeast1-docker.pkg.dev/seqr-308602/seqr-project/seqr:gcloud-prod | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - id: 'google-cloud-auth' | |
| name: 'Authenticate to Google Cloud' | |
| uses: 'google-github-actions/auth@v2' | |
| with: | |
| workload_identity_provider: 'projects/1021400127367/locations/global/workloadIdentityPools/github-pool/providers/github-provider' | |
| service_account: '[email protected]' | |
| - name: gcloud docker auth | |
| run: | | |
| gcloud auth configure-docker australia-southeast1-docker.pkg.dev | |
| - name: pull dockers | |
| run: | | |
| docker pull ${{ env.DOCKER_IMAGE }} | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ env.DOCKER_IMAGE }} | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| # upload trivvy results to GH security tab | |
| format: 'template' | |
| template: '@/contrib/sarif.tpl' | |
| output: 'trivy-results-prod.sarif' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: 'trivy-results-prod.sarif' | |
| trivy-dev: | |
| name: Trivy DEV check | |
| runs-on: ubuntu-latest | |
| environment: trivy | |
| env: | |
| # BUILDKIT_PROGRESS: plain | |
| CLOUDSDK_CORE_DISABLE_PROMPTS: 1 | |
| DOCKER_IMAGE: australia-southeast1-docker.pkg.dev/seqr-308602/seqr-project/seqr:gcloud-staging | |
| steps: | |
| # - uses: actions/checkout@v2 | |
| - id: 'google-cloud-auth' | |
| name: 'Authenticate to Google Cloud' | |
| uses: 'google-github-actions/auth@v2' | |
| with: | |
| workload_identity_provider: 'projects/1021400127367/locations/global/workloadIdentityPools/github-pool/providers/github-provider' | |
| service_account: '[email protected]' | |
| - name: gcloud docker auth | |
| run: | | |
| gcloud auth configure-docker australia-southeast1-docker.pkg.dev | |
| - name: pull dockers | |
| run: | | |
| docker pull ${{ env.DOCKER_IMAGE }} | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ env.DOCKER_IMAGE }} | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| # upload trivvy results to GH security tab | |
| format: 'template' | |
| template: '@/contrib/sarif.tpl' | |
| output: 'trivy-results-dev.sarif' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: 'trivy-results-dev.sarif' |