Update Trivy to 0.69.2 across all scanner modules #91
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # NOTE: Updates to this workflow should be done on the scanner-registry repository | |
| # (not a fork) to validate the test harness is healthy. PRs from forks use the | |
| # workflow from main via pull_request_target, while same-repo PRs use the workflow | |
| # from the PR branch via pull_request. | |
| name: Scan Tests | |
| on: | |
| pull_request: | |
| types: [opened, synchronize, reopened] | |
| pull_request_target: | |
| types: [opened, synchronize, reopened] | |
| permissions: | |
| id-token: write # Required for OIDC | |
| jobs: | |
| azure-devops-pipelines: | |
| name: Azure DevOps Pipelines | |
| runs-on: ubuntu-latest | |
| # Require a reviewer to allow the workflow to run when coming from a fork | |
| environment: ${{ github.event_name == 'pull_request_target' && 'scan-test' || '' }} | |
| # Run on pull_request for same-repo PRs, pull_request_target for fork PRs | |
| if: | | |
| (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) || | |
| (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository) | |
| steps: | |
| - name: Azure Login (OIDC) | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ secrets.BOOST_SCAN_RUNNER_ADO_CLIENT_ID }} | |
| tenant-id: ${{ secrets.BOOST_SCAN_RUNNER_ADO_TENANT_ID }} | |
| allow-no-subscriptions: true | |
| - name: Get Azure DevOps Token | |
| id: azure-token | |
| run: | | |
| token=$(az account get-access-token \ | |
| --resource 499b84ac-1321-427f-aa17-267ca6975798 \ | |
| --query accessToken -o tsv) | |
| echo "token=$token" >> $GITHUB_OUTPUT | |
| echo "::add-mask::$token" | |
| - name: Checkout scanner registry | |
| uses: actions/checkout@v4 | |
| with: | |
| # Checkout the pull request's code to read the new tests.yaml | |
| fetch-depth: 0 # Need full history to detect changes | |
| repository: ${{ github.event.pull_request.head.repo.full_name }} | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - name: Run Tests | |
| uses: boostsecurityio/scan-test-action@05297ee358226347a9f4989716ffeb7ba1dedc4f | |
| with: | |
| provider: azure-devops | |
| provider-config: | | |
| { | |
| "token": "${{ steps.azure-token.outputs.token }}", | |
| "organization": "BoostSecurity", | |
| "project": "cicd-tools", | |
| "pipeline_id": 1 | |
| } | |
| # Target the pull request's code to read the new module.yaml | |
| # WARNING: This runs arbitrary code in pre-scan checks, it MUST be blocked by an environment to manually allow workflow to run. | |
| registry-repo: ${{ github.event.pull_request.head.repo.full_name }} | |
| registry-ref: ${{ github.event.pull_request.head.sha }} | |
| base-ref: ${{ github.event.pull_request.base.sha }} | |
| fallback-scanners: "boostsecurityio/trivy-fs,boostsecurityio/trivy-image" | |
| allowed-env-prefixes: "CODEQL_,BOOST_" | |
| bitbucket-action: | |
| name: Bitbucket Pipelines | |
| runs-on: ubuntu-latest | |
| # Require a reviewer to allow the workflow to run when coming from a fork | |
| environment: ${{ github.event_name == 'pull_request_target' && 'scan-test' || '' }} | |
| # Run on pull_request for same-repo PRs, pull_request_target for fork PRs | |
| if: | | |
| (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) || | |
| (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository) | |
| steps: | |
| - name: Generate Bitbucket OAuth Token | |
| id: bitbucket-token | |
| run: | | |
| response=$(curl -s -X POST \ | |
| "https://bitbucket.org/site/oauth2/access_token" \ | |
| -u "${{ secrets.BOOST_SCAN_RUNNER_BITBUCKET_CLIENT_ID }}:${{ secrets.BOOST_SCAN_RUNNER_BITBUCKET_CLIENT_SECRET }}" \ | |
| -d "grant_type=client_credentials") | |
| token=$(echo "$response" | jq -r '.access_token') | |
| echo "token=$token" >> $GITHUB_OUTPUT | |
| echo "::add-mask::$token" | |
| - name: Checkout scanner registry | |
| uses: actions/checkout@v4 | |
| with: | |
| # Checkout the pull request's code to read the new tests.yaml | |
| fetch-depth: 0 # Need full history to detect changes | |
| repository: ${{ github.event.pull_request.head.repo.full_name }} | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - name: Run Tests | |
| uses: boostsecurityio/scan-test-action@05297ee358226347a9f4989716ffeb7ba1dedc4f | |
| with: | |
| provider: bitbucket | |
| provider-config: | | |
| { | |
| "token": "${{ steps.bitbucket-token.outputs.token }}", | |
| "workspace": "boostsecurityio", | |
| "repo_slug": "scan-test-runner-bitbucket-pipelines" | |
| } | |
| # Target the pull request's code to read the new module.yaml | |
| # WARNING: This runs arbitrary code in pre-scan checks, it MUST be blocked by an environment to manually allow workflow to run. | |
| registry-repo: ${{ github.event.pull_request.head.repo.full_name }} | |
| registry-ref: ${{ github.event.pull_request.head.sha }} | |
| base-ref: ${{ github.event.pull_request.base.sha }} | |
| fallback-scanners: "boostsecurityio/trivy-fs,boostsecurityio/trivy-image" | |
| allowed-env-prefixes: "CODEQL_,BOOST_" | |
| github-action: | |
| name: Github Actions | |
| runs-on: ubuntu-latest | |
| # Require a reviewer to allow the workflow to run when coming from a fork | |
| environment: ${{ github.event_name == 'pull_request_target' && 'scan-test' || '' }} | |
| # Run on pull_request for same-repo PRs, pull_request_target for fork PRs | |
| if: | | |
| (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) || | |
| (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository) | |
| steps: | |
| - name: Generate GitHub App Token | |
| id: github-token | |
| uses: actions/create-github-app-token@v1 | |
| with: | |
| app-id: ${{ secrets.BOOST_SCAN_RUNNER_GITHUB_APP_ID }} | |
| private-key: ${{ secrets.BOOST_SCAN_RUNNER_GITHUB_APP_PRIVATE_KEY }} | |
| owner: boostsecurityio | |
| repositories: scan-test-runner-gitbub-actions | |
| - name: Checkout scanner registry | |
| uses: actions/checkout@v4 | |
| with: | |
| # Checkout the pull request's code to read the new tests.yaml | |
| fetch-depth: 0 # Need full history to detect changes | |
| repository: ${{ github.event.pull_request.head.repo.full_name }} | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - name: Run Tests | |
| uses: boostsecurityio/scan-test-action@05297ee358226347a9f4989716ffeb7ba1dedc4f | |
| with: | |
| provider: github-actions | |
| provider-config: | | |
| { | |
| "token": "${{ steps.github-token.outputs.token }}", | |
| "owner": "boostsecurityio", | |
| "repo": "scan-test-runner-gitbub-actions", | |
| "workflow_id": "test-scanner.yml" | |
| } | |
| # Target the pull request's code to read the new module.yaml | |
| # WARNING: This runs arbitrary code in pre-scan checks, it MUST be blocked by an environment to manually allow workflow to run. | |
| registry-repo: ${{ github.event.pull_request.head.repo.full_name }} | |
| registry-ref: ${{ github.event.pull_request.head.sha }} | |
| base-ref: ${{ github.event.pull_request.base.sha }} | |
| fallback-scanners: "boostsecurityio/trivy-fs,boostsecurityio/trivy-image" | |
| allowed-env-prefixes: "CODEQL_,BOOST_" | |
| gitlab-ci: | |
| name: Gitlab-CI | |
| runs-on: ubuntu-latest | |
| # Require a reviewer to allow the workflow to run when coming from a fork | |
| environment: ${{ github.event_name == 'pull_request_target' && 'scan-test' || '' }} | |
| # Run on pull_request for same-repo PRs, pull_request_target for fork PRs | |
| if: | | |
| (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) || | |
| (github.event_name == 'pull_request_target' && github.event.pull_request.head.repo.full_name != github.repository) | |
| steps: | |
| - name: Checkout scanner registry | |
| uses: actions/checkout@v4 | |
| with: | |
| # Checkout the pull request's code to read the new tests.yaml | |
| fetch-depth: 0 # Need full history to detect changes | |
| repository: ${{ github.event.pull_request.head.repo.full_name }} | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - name: Run Tests | |
| uses: boostsecurityio/scan-test-action@05297ee358226347a9f4989716ffeb7ba1dedc4f | |
| with: | |
| provider: gitlab-ci | |
| provider-config: | | |
| { | |
| "trigger_token": "${{ secrets.BOOST_SCAN_RUNNER_GITLAB_TRIGGER_TOKEN }}", | |
| "api_token": "${{ secrets.BOOST_SCAN_RUNNER_GITLAB_READ_TOKEN }}", | |
| "project_id": "boostsecurityio/scan-test-runner-gitlab-ci" | |
| } | |
| # Target the pull request's code to read the new module.yaml | |
| # WARNING: This runs arbitrary code in pre-scan checks, it MUST be blocked by an environment to manually allow workflow to run. | |
| registry-repo: ${{ github.event.pull_request.head.repo.full_name }} | |
| registry-ref: ${{ github.event.pull_request.head.sha }} | |
| base-ref: ${{ github.event.pull_request.base.sha }} | |
| fallback-scanners: "boostsecurityio/trivy-fs,boostsecurityio/trivy-image" | |
| allowed-env-prefixes: "CODEQL_,BOOST_" |