Skip to content

Commit 5526304

Browse files
idvoretskyiidvoretskyi
committed
Update security workflow for optimized devcontainer
Improvements: - Remove redundant tcl installation step - Fix Dockerfile path in trigger (covered by .devcontainer/**) - Pin Trivy action to specific version (0.28.0) instead of @master - Add severity filtering (CRITICAL,HIGH) to focus on important issues - Improve workflow stability and reproducibility The workflow now properly scans the optimized devcontainer configuration. Signed-off-by: Ihor Dvoretskyi <[email protected]>
1 parent aa0caf1 commit 5526304

File tree

1 file changed

+4
-7
lines changed

1 file changed

+4
-7
lines changed

.github/workflows/security.yml

Lines changed: 4 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -8,13 +8,11 @@ on:
88
branches: [ main ]
99
paths:
1010
- '.devcontainer/**'
11-
- 'Dockerfile'
1211
- '.github/workflows/security.yml'
1312
pull_request:
1413
branches: [ main ]
1514
paths:
1615
- '.devcontainer/**'
17-
- 'Dockerfile'
1816
- '.github/workflows/security.yml'
1917
workflow_dispatch: # Allow manual trigger
2018

@@ -30,21 +28,19 @@ jobs:
3028
- name: Checkout
3129
uses: actions/checkout@v4
3230

33-
- name: Install missing dependencies
34-
run: sudo apt-get update && sudo apt-get install -y tcl
35-
3631
- name: Build Docker image for scanning
3732
run: |
3833
IMAGE_NAME="dev-template:${{ github.sha }}"
3934
docker build -t "$IMAGE_NAME" .devcontainer/
4035
echo "IMAGE_NAME=$IMAGE_NAME" >> $GITHUB_ENV
4136
4237
- name: Run Trivy vulnerability scanner
43-
uses: aquasecurity/trivy-action@master
38+
uses: aquasecurity/trivy-action@0.28.0
4439
with:
4540
image-ref: '${{ env.IMAGE_NAME }}'
4641
format: 'sarif'
4742
output: 'trivy-results.sarif'
43+
severity: 'CRITICAL,HIGH'
4844

4945
- name: Upload Trivy scan results to GitHub Security tab
5046
uses: github/codeql-action/upload-sarif@v3
@@ -70,12 +66,13 @@ jobs:
7066
retention-days: 30
7167

7268
- name: Run Trivy filesystem scan
73-
uses: aquasecurity/trivy-action@master
69+
uses: aquasecurity/trivy-action@0.28.0
7470
with:
7571
scan-type: 'fs'
7672
scan-ref: '.'
7773
format: 'sarif'
7874
output: 'trivy-fs-results.sarif'
75+
severity: 'CRITICAL,HIGH'
7976

8077
- name: Upload filesystem scan results
8178
uses: github/codeql-action/upload-sarif@v3

0 commit comments

Comments
 (0)