superlint/.github/workflows/trivy.yml

# Disabling trivy scans while they get troubleshooting for failures
---
name: Trivy Container Scan
on:
  push:
    branches:
      - main
  pull_request:
  merge_group:

permissions:
  contents: read

jobs:
  scan-container:
    permissions:
      contents: read  # for actions/checkout to fetch code
      security-events: write  # for github/codeql-action/upload-sarif to upload SARIF results
    name: Build
    runs-on: ubuntu-latest
    timeout-minutes: 60
    steps:
      ######################
      # Checkout code base #
      ######################
      - name: Checkout code
        uses: actions/checkout@v3

      #################################
      # Run Trivy Scan of source code #
      #################################
      - name: Trivy Scan
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          format: 'template'
          template: '@/contrib/sarif.tpl'
          output: 'report.sarif'
          severity: 'HIGH,CRITICAL'

      #################################
      # Upload report to security tab #
      #################################
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'report.sarif'
Update trivy.yml 2021-04-05 20:00:29 -04:00			`# Disabling trivy scans while they get troubleshooting for failures`
Reinstate Trivy with no blocks for vulnerabilities found (#1455) * enable trivy * enable docker build * Add audit fix to patch vulns * exit success on vulnerabilities found 2021-04-17 17:50:23 -04:00			`---`
Add Actions names 2022-02-21 10:17:34 -05:00			`name: Trivy Container Scan`
Reinstate Trivy with no blocks for vulnerabilities found (#1455) * enable trivy * enable docker build * Add audit fix to patch vulns * exit success on vulnerabilities found 2021-04-17 17:50:23 -04:00			`on:`
			`push:`
			`branches:`
switch to main branch (#2010) * switch to main branch * switch from master to main * switch default branch to main * switch to main branch * switch to main branch * switch to main branch * switch to main branch * switch to main branch * switch to main branch * switch to main branch * switch to main branch * switch to main branch * switch to main branch * make comment reflect code * switch to main branch 2021-10-01 15:57:26 -04:00			`- main`
Reinstate Trivy with no blocks for vulnerabilities found (#1455) * enable trivy * enable docker build * Add audit fix to patch vulns * exit success on vulnerabilities found 2021-04-17 17:50:23 -04:00			`pull_request:`
Enable merge queue Signed-off-by: Brett Logan <lindluni@github.com> 2023-02-09 01:48:06 -05:00			`merge_group:`

Set permissions for GitHub actions (#2752) - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. Signed-off-by: nathannaveen <42319948+nathannaveen@users.noreply.github.com> 2022-04-11 15:52:49 -04:00			`permissions:`
			`contents: read`

Reinstate Trivy with no blocks for vulnerabilities found (#1455) * enable trivy * enable docker build * Add audit fix to patch vulns * exit success on vulnerabilities found 2021-04-17 17:50:23 -04:00			`jobs:`
			`scan-container:`
Set permissions for GitHub actions (#2752) - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. Signed-off-by: nathannaveen <42319948+nathannaveen@users.noreply.github.com> 2022-04-11 15:52:49 -04:00			`permissions:`
			`contents: read # for actions/checkout to fetch code`
			`security-events: write # for github/codeql-action/upload-sarif to upload SARIF results`
Reinstate Trivy with no blocks for vulnerabilities found (#1455) * enable trivy * enable docker build * Add audit fix to patch vulns * exit success on vulnerabilities found 2021-04-17 17:50:23 -04:00			`name: Build`
Update job image Signed-off-by: Brett Logan <lindluni@github.com> 2023-04-10 14:34:26 -04:00			`runs-on: ubuntu-latest`
Add CI timeout (#2127) 2021-11-15 11:25:36 -05:00			`timeout-minutes: 60`
Reinstate Trivy with no blocks for vulnerabilities found (#1455) * enable trivy * enable docker build * Add audit fix to patch vulns * exit success on vulnerabilities found 2021-04-17 17:50:23 -04:00			`steps:`
			`######################`
			`# Checkout code base #`
			`######################`
			`- name: Checkout code`
Bump actions/checkout from 2.4.0 to 3 Bumps [actions/checkout](https://github.com/actions/checkout) from 2.4.0 to 3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v2.4.0...v3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> 2022-03-07 10:34:26 -05:00			`uses: actions/checkout@v3`
Add trivy scans for container security (#1209) * Create trivy.yml * Add descriptive names * Add fs mode to catch package.lock issues * use script to get around timeout * use script to get around timeout * set it * set it * update deps * Align with comment style * fix headeer * npm audit fix to patch vulnerabilities Signed-off-by: Zack Koppert <zkoppert@github.com> Co-authored-by: Lukas Gravley <admiralawkbar@github.com> 2021-02-17 17:03:30 -05:00
Reinstate Trivy with no blocks for vulnerabilities found (#1455) * enable trivy * enable docker build * Add audit fix to patch vulns * exit success on vulnerabilities found 2021-04-17 17:50:23 -04:00			`#################################`
			`# Run Trivy Scan of source code #`
			`#################################`
			`- name: Trivy Scan`
			`uses: aquasecurity/trivy-action@master`
			`with:`
			`scan-type: 'fs'`
			`format: 'template'`
			`template: '@/contrib/sarif.tpl'`
			`output: 'report.sarif'`
			`severity: 'HIGH,CRITICAL'`
Add trivy scans for container security (#1209) * Create trivy.yml * Add descriptive names * Add fs mode to catch package.lock issues * use script to get around timeout * use script to get around timeout * set it * set it * update deps * Align with comment style * fix headeer * npm audit fix to patch vulnerabilities Signed-off-by: Zack Koppert <zkoppert@github.com> Co-authored-by: Lukas Gravley <admiralawkbar@github.com> 2021-02-17 17:03:30 -05:00
Reinstate Trivy with no blocks for vulnerabilities found (#1455) * enable trivy * enable docker build * Add audit fix to patch vulns * exit success on vulnerabilities found 2021-04-17 17:50:23 -04:00			`#################################`
			`# Upload report to security tab #`
			`#################################`
			`- name: Upload Trivy scan results to GitHub Security tab`
Bump github/codeql-action from 1 to 2 (#2829) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 1 to 2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/v1...v2) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2022-05-02 10:56:21 -04:00			`uses: github/codeql-action/upload-sarif@v2`
Reinstate Trivy with no blocks for vulnerabilities found (#1455) * enable trivy * enable docker build * Add audit fix to patch vulns * exit success on vulnerabilities found 2021-04-17 17:50:23 -04:00			`with:`
			`sarif_file: 'report.sarif'`