Reinstate Trivy with no blocks for vulnerabilities found (#1455)

* enable trivy * enable docker build * Add audit fix to patch vulns * exit success on vulnerabilities found
2024-11-22 00:31:07 -05:00 · 2021-04-17 14:50:23 -07:00 · 2021-04-17 14:50:23 -07:00 · 786e7056de
commit 786e7056de
parent a908937c78
2 changed files with 44 additions and 44 deletions
--- a/.github/workflows/trivy.yml
+++ b/.github/workflows/trivy.yml
@ -1,47 +1,46 @@
 # Disabling trivy scans while they get troubleshooting for failures
-# ---
+---
-# name: Container Security Scan with Trivy
+name: Container Security Scan with Trivy
-# on:
+on:
-#   push:
+  push:
-#     branches:
+    branches:
-#       - master
+      - master
-#   pull_request:
+  pull_request:
-# jobs:
+jobs:
-#   scan-container:
+  scan-container:
-#     name: Build
+    name: Build
-#     runs-on: ubuntu-18.04
+    runs-on: ubuntu-18.04
-#     steps:
+    steps:
-#       ######################
+      ######################
-#       # Checkout code base #
+      # Checkout code base #
-#       ######################
+      ######################
-#       - name: Checkout code
+      - name: Checkout code
-#         uses: actions/checkout@v2
+        uses: actions/checkout@v2
-#       # ##########################
+      # ##########################
-#       # # Build the docker image #
+      # # Build the docker image #
-#       # ##########################
+      # ##########################
-#       # - name: Build an image from Dockerfile
+      - name: Build an image from Dockerfile
-#       #   run: |
+        run: |
-#       #     docker build -t docker.io/github/super-linter:${{ github.sha }} .
+          docker build -t docker.io/github/super-linter:${{ github.sha }} .
-#       #################################
+      #################################
-#       # Run Trivy Scan of source code #
+      # Run Trivy Scan of source code #
-#       #################################
+      #################################
-#       - name: Trivy Scan
+      - name: Trivy Scan
-#         uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@master
-#         with:
+        with:
-#           scan-type: 'fs'
+          scan-type: 'fs'
-#           format: 'template'
+          format: 'template'
-#           exit-code: '1'
+          template: '@/contrib/sarif.tpl'
-#           template: '@/contrib/sarif.tpl'
+          output: 'report.sarif'
-#           output: 'report.sarif'
+          severity: 'HIGH,CRITICAL'
 #           severity: 'HIGH,CRITICAL'
-#       #################################
+      #################################
-#       # Upload report to security tab #
+      # Upload report to security tab #
-#       #################################
+      #################################
-#       - name: Upload Trivy scan results to GitHub Security tab
+      - name: Upload Trivy scan results to GitHub Security tab
-#         uses: github/codeql-action/upload-sarif@v1
+        uses: github/codeql-action/upload-sarif@v1
-#         if: always()
+        if: always()
-#         with:
+        with:
-#           sarif_file: 'report.sarif'
+          sarif_file: 'report.sarif'
--- a/3
+++ b/3
@ -150,7 +150,8 @@ RUN pipenv install --clear --system
 ####################
 RUN npm config set package-lock false \
    && npm config set loglevel error \
-    && npm --no-cache install
+    && npm --no-cache install \
    && npm audit fix
 #############################
 # Add node packages to path #