redirect (#424) #1205
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Trivy configured to scan for vulnerable dependencies in the project software composition | |
name: Trivy Scan | |
# Events that triggers Trivy to run | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
branches: [main, production] | |
jobs: | |
build: | |
name: Trivy Vulnerability Scanner | |
runs-on: ubuntu-latest | |
# Skip any PR created by dependabot to avoid permission issues (if used) | |
if: (github.actor != 'dependabot[bot]') | |
steps: | |
# Checking out the repo to scan | |
- name: Checkout code | |
uses: actions/checkout@v2 | |
# Run Trivy with the following args | |
- name: Run Trivy | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: 'fs' # Filesystem mode | |
ignore-unfixed: true # Ignore vulnerabilities with no available fix | |
format: 'template' # Template output mode | |
template: '@/contrib/sarif.tpl' # SARIF template to be compatible with GitHub security tab | |
output: 'trivy-results.sarif' # Output file name | |
severity: 'CRITICAL' # Report error only on critical vulnerabilities. Warn on lower severities | |
exit-code: '1' # Fail the job if a critical vulnerability with fix available is found | |
# Generate the output as SARIF and upload to the security tab | |
- name: Upload Trivy results | |
uses: github/codeql-action/upload-sarif@v1 | |
if: always() # Upload even if the job has failed due to a vulnerability | |
with: | |
sarif_file: 'trivy-results.sarif' |