Skip to content
This repository was archived by the owner on Sep 4, 2025. It is now read-only.

Commit 93d4237

Browse files
chohnerchohner
authored
fix sarif upload
1 parent aae82df commit 93d4237

File tree

1 file changed

+7
-17
lines changed

1 file changed

+7
-17
lines changed

.github/workflows/scan.yml

Lines changed: 7 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -24,11 +24,9 @@ jobs:
2424
- name: Run Trivy vulnerability scanner
2525
# Third-party action, pin to commit SHA!
2626
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
27-
uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5
27+
uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0
2828
env:
29-
TRIVY_USERNAME: ${{ github.actor }}
30-
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
31-
TRIVY_OFFLINE_SCAN: true
29+
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
3230
with:
3331
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
3432
format: "sarif"
@@ -48,25 +46,17 @@ jobs:
4846
with:
4947
sarif_file: "trivy-results.sarif"
5048
- name: Generate cosign vulnerability scan record
51-
# Third-party action, pin to commit SHA!
52-
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
53-
uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5
49+
uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0
5450
env:
55-
TRIVY_USERNAME: ${{ github.actor }}
56-
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
57-
TRIVY_OFFLINE_SCAN: true
51+
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
5852
with:
59-
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
53+
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ matrix.container-name }}:${{ env.CONTAINER_IMAGE_VERSION }}
6054
format: "cosign-vuln"
6155
output: "vuln.json"
6256
- name: Install cosign
63-
# Third-party action, pin to commit SHA!
64-
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
65-
uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb
57+
uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
6658
- name: Log into container registry
67-
# Third-party action, pin to commit SHA!
68-
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
69-
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
59+
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
7060
with:
7161
registry: ${{ env.CONTAINER_REGISTRY }}
7262
username: ${{ github.actor }}

0 commit comments

Comments
 (0)