PBM. Add fix for trivy (#1095)

sandraromanchenko · web-flow · commit 580a3c960d2d · 2025-02-18T11:50:04.000+02:00
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -11,17 +11,20 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-
-      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/trivy-action@master
         with:
-          scan-type: "fs"
-          ignore-unfixed: true
-          format: "sarif"
-          output: "trivy-results.sarif"
-          severity: "CRITICAL,HIGH"
+          ref: ${{ github.event.pull_request.head.sha }}
 
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2
-        with:
-          sarif_file: "trivy-results.sarif"
+      - name: Download latest trivy
+        run: |
+          mkdir -p ${{ github.workspace }}/trivy
+          LATEST_TRIVY_VERSION=$(curl --retry 5 --retry-connrefused --retry-delay 5 --fail -s https://api.github.com/repos/aquasecurity/trivy/releases/latest | jq -r .tag_name)
+          TRIVY_VERSION_STRIPPED=$(echo "$LATEST_TRIVY_VERSION" | sed 's/^v//')
+          wget --tries=5 --retry-connrefused --waitretry=5 -O ${{ github.workspace }}/trivy/trivy.tar.gz \
+              https://github.com/aquasecurity/trivy/releases/download/$LATEST_TRIVY_VERSION/trivy_${TRIVY_VERSION_STRIPPED}_Linux-64bit.tar.gz && break || sleep 5
+          tar -xzf ${{ github.workspace }}/trivy/trivy.tar.gz -C ${{ github.workspace }}/trivy
+
+      - name: Generate SBOM
+        run: ${{ github.workspace }}/trivy/trivy fs --format cyclonedx --output ${{ github.workspace }}/sbom.json ${{ github.workspace }}
+
+      - name: Run trivy scan on SBOM
+        run: ${{ github.workspace }}/trivy/trivy sbom ${{ github.workspace }}/sbom.json --severity HIGH,CRITICAL --ignore-unfixed --exit-code=1
