sig-cloud-instance-images/.github/workflows/scan.yml

name: Scan images using trivy
on:
  push:
  workflow_dispatch:
  schedule:
    - cron: "0 13 * * *"

jobs:
  scan:
    permissions:
      contents: write
      security-events: write # allow github/codeql-action/upload-sarif
    name: Scan for Security Vulnerabilities
    runs-on: ubuntu-18.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
        
      - name: Create public folder
        run: |
          mkdir -p public/
      
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/rockylinux/rockylinux:8'
          format: 'sarif'
          output: 'public/trivy-results.sarif'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH,MEDIUM'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v1
        if: always() 
        with:
          sarif_file: 'public/trivy-results.sarif'
        

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        if: always()
        continue-on-error: true
        with:
          image-ref: 'docker.io/rockylinux/rockylinux:8'
          format: 'template'
          template: '@/contrib/html.tpl'
          output: 'public/index.html'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH,MEDIUM'

      - name: Save scan results to github pages
        uses: peaceiris/actions-gh-pages@v3
        #if: ${{ github.ref == 'refs/heads/main' }}
        if: always()
        with:
          github_token: ${{ secrets.GITHUB_TOKEN }}
          publish_dir: ./public
Upload scan results to github security tab 2022-03-15 12:48:59 +00:00			`name: Scan images using trivy`
scan images 2022-03-15 12:40:42 +00:00			`on:`
save results publicly Signed-off-by: Neil Hanlon <neil@rockylinux.org> 2022-03-25 13:59:59 +00:00			`push:`
scan images 2022-03-15 12:40:42 +00:00			`workflow_dispatch:`
			`schedule:`
			`- cron: "0 13 * * *"`

			`jobs:`
			`scan:`
Upload scan results to github security tab 2022-03-15 12:48:59 +00:00			`permissions:`
Update scan.yml (#16) 2022-03-29 13:50:40 +00:00			`contents: write`
Upload scan results to github security tab 2022-03-15 12:48:59 +00:00			`security-events: write # allow github/codeql-action/upload-sarif`
Upload scan results to github security tab 2022-03-15 12:44:54 +00:00			`name: Scan for Security Vulnerabilities`
scan images 2022-03-15 12:40:42 +00:00			`runs-on: ubuntu-18.04`
			`steps:`
			`- name: Checkout code`
			`uses: actions/checkout@v2`
Update scan.yml (#15) 2022-03-29 13:40:09 +00:00
			`- name: Create public folder`
			`run: \|`
			`mkdir -p public/`
scan images 2022-03-15 12:40:42 +00:00
			`- name: Run Trivy vulnerability scanner`
			`uses: aquasecurity/trivy-action@master`
			`with:`
Modify scanning (#13) Scan the non-library image which is more up to date Upload files to a github pages branch for public viewing 2022-03-29 13:31:34 +00:00			`image-ref: 'docker.io/rockylinux/rockylinux:8'`
Upload scan results to github security tab 2022-03-15 12:44:54 +00:00			`format: 'sarif'`
Update scan.yml (#15) 2022-03-29 13:40:09 +00:00			`output: 'public/trivy-results.sarif'`
scan images 2022-03-15 12:40:42 +00:00			`exit-code: '1'`
			`ignore-unfixed: true`
			`vuln-type: 'os,library'`
Look for medium sev vulnerabilities 2022-03-15 12:51:15 +00:00			`severity: 'CRITICAL,HIGH,MEDIUM'`
Upload scan results to github security tab 2022-03-15 12:44:54 +00:00
			`- name: Upload Trivy scan results to GitHub Security tab`
			`uses: github/codeql-action/upload-sarif@v1`
			`if: always()`
			`with:`
Update scan.yml (#15) 2022-03-29 13:40:09 +00:00			`sarif_file: 'public/trivy-results.sarif'`

save results publicly Signed-off-by: Neil Hanlon <neil@rockylinux.org> 2022-03-25 13:59:59 +00:00
			`- name: Run Trivy vulnerability scanner`
			`uses: aquasecurity/trivy-action@master`
Update scan.yml (#17) 2022-04-09 14:41:43 +00:00			`if: always()`
			`continue-on-error: true`
save results publicly Signed-off-by: Neil Hanlon <neil@rockylinux.org> 2022-03-25 13:59:59 +00:00			`with:`
Modify scanning (#13) Scan the non-library image which is more up to date Upload files to a github pages branch for public viewing 2022-03-29 13:31:34 +00:00			`image-ref: 'docker.io/rockylinux/rockylinux:8'`
fix scanner format (#14) 2022-03-29 13:37:04 +00:00			`format: 'template'`
Update scan.yml (#15) 2022-03-29 13:40:09 +00:00			`template: '@/contrib/html.tpl'`
Modify scanning (#13) Scan the non-library image which is more up to date Upload files to a github pages branch for public viewing 2022-03-29 13:31:34 +00:00			`output: 'public/index.html'`
save results publicly Signed-off-by: Neil Hanlon <neil@rockylinux.org> 2022-03-25 13:59:59 +00:00			`exit-code: '1'`
			`ignore-unfixed: true`
			`vuln-type: 'os,library'`
			`severity: 'CRITICAL,HIGH,MEDIUM'`

Modify scanning (#13) Scan the non-library image which is more up to date Upload files to a github pages branch for public viewing 2022-03-29 13:31:34 +00:00			`- name: Save scan results to github pages`
			`uses: peaceiris/actions-gh-pages@v3`
Update scan.yml (#18) 2022-04-09 14:43:48 +00:00			`#if: ${{ github.ref == 'refs/heads/main' }}`
Update scan.yml (#19) 2022-04-09 14:45:24 +00:00			`if: always()`
save results publicly Signed-off-by: Neil Hanlon <neil@rockylinux.org> 2022-03-25 13:59:59 +00:00			`with:`
Modify scanning (#13) Scan the non-library image which is more up to date Upload files to a github pages branch for public viewing 2022-03-29 13:31:34 +00:00			`github_token: ${{ secrets.GITHUB_TOKEN }}`
			`publish_dir: ./public`