Skip to content

Commit e4160b2

Browse files
committed
ci: add Trivy security scanning workflow and status badge
- Add a GitHub Actions workflow to perform Trivy security scanning on code pushes, pull requests, scheduled runs, and manual dispatch - Display Trivy Security Scan status badge in the README Signed-off-by: appleboy <appleboy.tw@gmail.com>
1 parent dab593b commit e4160b2

File tree

2 files changed

+57
-0
lines changed

2 files changed

+57
-0
lines changed

.github/workflows/trivy-scan.yml

Lines changed: 56 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,56 @@
1+
name: Trivy Security Scan
2+
3+
on:
4+
push:
5+
branches:
6+
- master
7+
pull_request:
8+
branches:
9+
- master
10+
schedule:
11+
# Run daily at 00:00 UTC
12+
- cron: '0 0 * * *'
13+
workflow_dispatch: # Allow manual trigger
14+
15+
permissions:
16+
contents: read
17+
security-events: write # Required for uploading SARIF results
18+
19+
jobs:
20+
trivy-scan:
21+
name: Trivy Security Scan
22+
runs-on: ubuntu-latest
23+
steps:
24+
- name: Checkout code
25+
uses: actions/checkout@v5
26+
with:
27+
fetch-depth: 0
28+
29+
- name: Run Trivy vulnerability scanner (source code)
30+
uses: aquasecurity/trivy-action@0.33.1
31+
with:
32+
scan-type: 'fs'
33+
scan-ref: '.'
34+
scanners: 'vuln,secret,misconfig'
35+
format: 'sarif'
36+
output: 'trivy-results.sarif'
37+
severity: 'CRITICAL,HIGH,MEDIUM'
38+
ignore-unfixed: true
39+
40+
- name: Upload Trivy results to GitHub Security tab
41+
uses: github/codeql-action/upload-sarif@v4
42+
if: always()
43+
with:
44+
sarif_file: 'trivy-results.sarif'
45+
46+
- name: Run Trivy scanner (table output for logs)
47+
uses: aquasecurity/trivy-action@0.33.1
48+
if: always()
49+
with:
50+
scan-type: 'fs'
51+
scan-ref: '.'
52+
scanners: 'vuln,secret,misconfig'
53+
format: 'table'
54+
severity: 'CRITICAL,HIGH,MEDIUM'
55+
ignore-unfixed: true
56+
exit-code: '1'

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
# expvar
22

33
[![Run Tests](https://github.com/gin-contrib/expvar/actions/workflows/go.yml/badge.svg?branch=master)](https://github.com/gin-contrib/expvar/actions/workflows/go.yml)
4+
[![Trivy Security Scan](https://github.com/gin-contrib/expvar/actions/workflows/trivy-scan.yml/badge.svg)](https://github.com/gin-contrib/expvar/actions/workflows/trivy-scan.yml)
45
[![codecov](https://codecov.io/gh/gin-contrib/expvar/branch/master/graph/badge.svg)](https://codecov.io/gh/gin-contrib/expvar)
56
[![Go Report Card](https://goreportcard.com/badge/github.com/gin-contrib/expvar)](https://goreportcard.com/report/github.com/gin-contrib/expvar)
67
[![GoDoc](https://godoc.org/github.com/gin-contrib/expvar?status.svg)](https://godoc.org/github.com/gin-contrib/expvar)

0 commit comments

Comments
 (0)