superlint/.github/workflows/trivy.yml

---
name: Container Security Scan with Trivy
on:
  push:
    branches:
      - master
  pull_request:
jobs:
  scan-container:
    name: Build
    runs-on: ubuntu-18.04
    steps:
      ######################
      # Checkout code base #
      ######################
      - name: Checkout code
        uses: actions/checkout@v2

      # ##########################
      # # Build the docker image #
      # ##########################
      # - name: Build an image from Dockerfile
      #   run: |
      #     docker build -t docker.io/github/super-linter:${{ github.sha }} .

      ###########################################
      # Download and install Trivy and template #
      ###########################################
      - name: Download and Install Trivy
        shell: bash
        run: |
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh | sh -s -- -b ${GITHUB_WORKSPACE}
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/sarif.tpl -o sarif.tpl

      #################################
      # Run Trivy Scan of source code #
      #################################
      - name: Trivy Scan
        shell: bash
        run: ./.automation/trivy-security-scan.sh

      ################################
      # Upload report to secrity tab #
      ################################
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v1
        if: always()
        with:
          sarif_file: 'report.sarif'
Add trivy scans for container security (#1209) * Create trivy.yml * Add descriptive names * Add fs mode to catch package.lock issues * use script to get around timeout * use script to get around timeout * set it * set it * update deps * Align with comment style * fix headeer * npm audit fix to patch vulnerabilities Signed-off-by: Zack Koppert <zkoppert@github.com> Co-authored-by: Lukas Gravley <admiralawkbar@github.com> 2021-02-17 17:03:30 -05:00			`---`
			`name: Container Security Scan with Trivy`
			`on:`
			`push:`
			`branches:`
			`- master`
			`pull_request:`
			`jobs:`
			`scan-container:`
			`name: Build`
			`runs-on: ubuntu-18.04`
			`steps:`
			`######################`
			`# Checkout code base #`
			`######################`
			`- name: Checkout code`
			`uses: actions/checkout@v2`

			`# ##########################`
			`# # Build the docker image #`
			`# ##########################`
			`# - name: Build an image from Dockerfile`
			`# run: \|`
			`# docker build -t docker.io/github/super-linter:${{ github.sha }} .`

			`###########################################`
			`# Download and install Trivy and template #`
			`###########################################`
			`- name: Download and Install Trivy`
			`shell: bash`
			`run: \|`
			`curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/install.sh \| sh -s -- -b ${GITHUB_WORKSPACE}`
			`curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/master/contrib/sarif.tpl -o sarif.tpl`

			`#################################`
			`# Run Trivy Scan of source code #`
			`#################################`
			`- name: Trivy Scan`
			`shell: bash`
			`run: ./.automation/trivy-security-scan.sh`

			`################################`
			`# Upload report to secrity tab #`
			`################################`
			`- name: Upload Trivy scan results to GitHub Security tab`
			`uses: github/codeql-action/upload-sarif@v1`
			`if: always()`
			`with:`
			`sarif_file: 'report.sarif'`