2e6a19d3b5
* ci: updated all workflows to be pineed to commit hashes ahead of renovate connection * ci: update doc links regex * ci: bump version for codeql-action * ci: bump version for action/cache to v4.2.0 * ci: adding package-manager-cache: false to the node v5 setup steps * ci: remove the --include to test precedence as it was overriding * chore: added missing @ from commit hash * ci: updates to shas to bring up to latest, also update to renovate config to account for major versions * chore: update renovate global minimum age settings * updated node sha * Apply suggestion from @M0NsTeRRR Co-authored-by: Ludovic Ortega <ludovic.ortega@adminafk.fr> * Apply suggestion from @M0NsTeRRR Co-authored-by: Ludovic Ortega <ludovic.ortega@adminafk.fr> * Apply suggestion from @M0NsTeRRR Co-authored-by: Ludovic Ortega <ludovic.ortega@adminafk.fr> * Apply suggestion from @M0NsTeRRR * Apply suggestion from @M0NsTeRRR --------- Co-authored-by: Ludovic Ortega <ludovic.ortega@adminafk.fr>
62 lines
1.8 KiB
YAML
62 lines
1.8 KiB
YAML
---
|
|
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
|
|
name: Trivy Container Vulnerability Scan
|
|
|
|
on:
|
|
workflow_run:
|
|
workflows:
|
|
- Seerr Release
|
|
types:
|
|
- completed
|
|
schedule:
|
|
- cron: '50 7 * * 5'
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
concurrency:
|
|
group: trivy-scan-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
trivy:
|
|
if: ${{ github.event_name != 'workflow_run' || github.event.workflow_run.conclusion == 'success' }}
|
|
name: Scan latest container image
|
|
runs-on: ubuntu-24.04
|
|
|
|
permissions:
|
|
contents: read
|
|
security-events: write
|
|
|
|
env:
|
|
TRIVY_CACHE_DIR: .trivycache
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
|
|
- name: Cache Trivy DB
|
|
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
|
|
with:
|
|
path: .trivycache
|
|
key: trivy-${{ runner.os }}-${{ hashFiles('**/Dockerfile') }}
|
|
restore-keys: |
|
|
trivy-${{ runner.os }}-
|
|
|
|
- name: Run Trivy image scan
|
|
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
|
|
with:
|
|
image-ref: ghcr.io/${{ github.repository }}:latest
|
|
format: sarif
|
|
output: trivy.sarif
|
|
ignore-unfixed: true
|
|
|
|
- name: Upload SARIF to code scanning
|
|
uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
|
|
with:
|
|
sarif_file: trivy.sarif
|