diff --git a/.github/workflows/pr_build.yml b/.github/workflows/pr_build.yml index 0fa1c46..f37674d 100644 --- a/.github/workflows/pr_build.yml +++ b/.github/workflows/pr_build.yml @@ -39,5 +39,5 @@ jobs: secrets: inherit trivy-scans: if: (github.base_ref == 'develop' || github.base_ref == 'main' || github.base_ref == 'master' ) && github.event.pull_request.merged == false - uses: kbase/.github/.github/workflows/reusable_trivy-scans.yml@main + uses: ./.github/workflows/trivy.yml secrets: inherit diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index ee0342d..6fe7662 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -1,18 +1,7 @@ name: "Trivy Scans" on: - pull_request: - types: - - opened - - reopened - - synchronize - - ready_for_review - push: - # run workflow when merging to main or develop - branches: - - main - - master - - develop + workflow_call: jobs: build: @@ -31,6 +20,7 @@ jobs: git config --global --add safe.directory $GITHUB_WORKSPACE; docker build -t trivy-test . + # Copied from https://github.com/kbase/.github/blob/main/.github/workflows/reusable_trivy-scans.yml - name: Check for log4j CVEs run: | set -e @@ -50,6 +40,7 @@ jobs: with: image-ref: "trivy-test" format: "sarif" + template: "@/contrib/sarif.tpl" output: "trivy-results.sarif" timeout: "20m0s" ignore-unfixed: true