chore: bump aquasecurity/trivy-action from 97e0b3872f55f89b95b2f65b3dbab56962816478 to 314ff8b43182423b84c50b1670b0e10f858f2d98 #1715
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Trivy Nightly Docker Scan | |
| on: | |
| # Run scans if the workflow is modified, in order to test the | |
| # workflow itself. This results in some spurious notifications, | |
| # but seems okay for testing. | |
| pull_request: | |
| branches: | |
| - main | |
| paths: | |
| - .github/workflows/trivy-docker.yaml | |
| # Run scans against master whenever changes are merged. | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - .github/workflows/trivy-docker.yaml | |
| schedule: | |
| - cron: "15 10 * * *" | |
| workflow_dispatch: | |
| permissions: | |
| actions: none | |
| checks: none | |
| contents: read | |
| deployments: none | |
| issues: none | |
| packages: none | |
| pull-requests: none | |
| repository-projects: none | |
| security-events: write | |
| statuses: none | |
| # Cancel in-progress runs for pull requests when developers push | |
| # additional changes, and serialize builds in branches. | |
| # https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| jobs: | |
| trivy-scan-image: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Run Trivy vulnerability scanner in image mode | |
| uses: aquasecurity/trivy-action@314ff8b43182423b84c50b1670b0e10f858f2d98 # latest | |
| with: | |
| image-ref: "docker.io/codercom/code-server:latest" | |
| ignore-unfixed: true | |
| format: "sarif" | |
| output: "trivy-image-results.sarif" | |
| severity: "HIGH,CRITICAL" | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4 | |
| with: | |
| sarif_file: "trivy-image-results.sarif" |