1515 - name : Run Report
1616 id : report
1717 uses : bearer/bearer-action@v2
18+ with :
19+ output : results.sarif
20+ - name : upload Bearer scan SARIF report
21+ uses : github/codeql-action/upload-sarif@v3
22+ with :
23+ sarif_file : ${{ steps.report.outputs.sarif }}
1824
1925 Anchore :
2026 runs-on : ubuntu-latest
3137 uses : github/codeql-action/upload-sarif@v3
3238 with :
3339 sarif_file : ${{ steps.scan.outputs.sarif }}
34-
35- Trivy :
36- runs-on : ubuntu-latest
37- permissions :
38- contents : read
39- steps :
40- - name : Checkout source code
41- uses : actions/checkout@v4
42-
43- # The first call to the action will invoke setup-trivy and install trivy
44- - name : Generate Trivy Vulnerability Report
45- uses : aquasecurity/trivy-action@master
46- with :
47- scan-type : " fs"
48- output : trivy-report.json
49- format : json
50- scan-ref : .
51- exit-code : 0
52-
53- - name : Upload Vulnerability Scan Results
54- uses : actions/upload-artifact@v4
55- with :
56- name : trivy-report
57- path : trivy-report.json
58- retention-days : 30
59-
60- - name : Fail build on High/Criticial Vulnerabilities
61- uses : aquasecurity/trivy-action@master
62- with :
63- scan-type : " fs"
64- format : table
65- scan-ref : .
66- severity : HIGH,CRITICAL
67- ignore-unfixed : true
68- exit-code : 1
69- # On a subsequent call to the action we know trivy is already installed so can skip this
70- skip-setup-trivy : true
71-
72- Build-Trivy :
73- name : Build
74- runs-on : ubuntu-20.04
75- steps :
76- - name : Checkout source code
77- uses : actions/checkout@v4
78-
79- - name : Run Trivy vulnerability scanner in repo mode
80- uses :
aquasecurity/[email protected] 81- with :
82- scan-type : ' fs'
83- ignore-unfixed : true
84- format : ' sarif'
85- output : ' trivy-results.sarif'
86- severity : ' CRITICAL'
87-
88- - name : Upload Trivy scan results to GitHub Security tab
89- uses : github/codeql-action/upload-sarif@v3
90- with :
91- sarif_file : ' trivy-results.sarif'
0 commit comments