Skip to content

Merge pull request #723 from martygrant/martin/update-contrib-build-docs #378

Merge pull request #723 from martygrant/martin/update-contrib-build-docs

Merge pull request #723 from martygrant/martin/update-contrib-build-docs #378

Workflow file for this run

# Runs linter for Docker files
name: Trivy
# Due to lower score on Scorecard we're running this separately from
# "PR/push" workflow. For some reason permissions weren't properly set
# or recognized (by Scorecard). If Scorecard changes its behavior we can
# use 'workflow_call' trigger.
on:
push:
branches-ignore:
- 'dependabot/**'
pull_request:
paths:
- '.github/docker/*Dockerfile'
- '.github/workflows/trivy.yml'
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
permissions:
contents: read
jobs:
trivy:
name: Trivy
runs-on: ${{ github.repository_owner == 'oneapi-src' && 'intel-ubuntu-22.04' || 'ubuntu-latest' }}
permissions:
security-events: write
steps:
- name: Clone the git repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Run Trivy
uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # v0.17.0
with:
scan-type: 'config'
hide-progress: false
format: 'sarif'
output: 'trivy-results.sarif'
exit-code: 1 # Fail if issue found
# file with suppressions: .trivyignore (in root dir)
- name: Print report and trivyignore file
run: |
echo "### Trivy ignore content:"
cat .trivyignore
echo "### Trivy report:"
cat trivy-results.sarif
- name: Upload results
uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3.24.0
with:
sarif_file: 'trivy-results.sarif'