From 0578a7a2c040a2d5becf3f55ab6c6672f68b66b9 Mon Sep 17 00:00:00 2001 From: Cristovao Cordeiro Date: Wed, 7 Aug 2024 13:32:08 +0200 Subject: [PATCH 1/2] ci: report vulnerabilities and fail on HIGH,CRITICAL --- .github/workflows/security.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 8adf838d..964179cc 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -10,6 +10,8 @@ jobs: scan: name: Scan for known vulnerabilities runs-on: ubuntu-latest + env: + TRIVY_RESULTS: 'trivy-results.sarif' steps: - uses: actions/checkout@v3 @@ -18,3 +20,23 @@ jobs: with: scan-type: 'fs' scan-ref: '.' + format: 'sarif' + output: ${{ env.TRIVY_RESULTS }} + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ env.TRIVY_RESULTS }} + + - uses: actions/upload-artifact@v4 + with: + name: ${{ env.TRIVY_RESULTS }} + path: ${{ env.TRIVY_RESULTS }} + + - name: Raise error on HIGH,CRITICAL vulnerabilities + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: '.' + severity: 'CRITICAL,HIGH' + exit-code: '1' From ed7abf55c620de1361aa2e56b0718633ee420501 Mon Sep 17 00:00:00 2001 From: Cristovao Cordeiro Date: Thu, 26 Sep 2024 14:42:15 +0200 Subject: [PATCH 2/2] ci: run security scans on sched, once a day --- .github/workflows/security.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml index 964179cc..93d4cc18 100644 --- a/.github/workflows/security.yaml +++ b/.github/workflows/security.yaml @@ -1,10 +1,8 @@ name: Security on: - push: - branches: [main] - pull_request: - branches: [main] + schedule: + - cron: "0 1 * * *" jobs: scan: