Trivy Security Scan #3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Trivy Security Scan | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - release/* | |
| pull_request: | |
| branches: | |
| - main | |
| - release/* | |
| schedule: | |
| # Run daily at 2:00 AM UTC | |
| - cron: '0 2 * * *' | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| security-events: write # for uploading SARIF results | |
| actions: read | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} | |
| cancel-in-progress: true | |
| jobs: | |
| trivy-fs-scan: | |
| name: Trivy Filesystem Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Run Trivy vulnerability scanner in filesystem mode | |
| uses: aquasecurity/trivy-action@f781cce5aab226378ee181d764ab90ea0be3cdd8 # v0.29.0 | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'trivy-fs-results.sarif' | |
| severity: 'CRITICAL,HIGH,MEDIUM' | |
| trivyignores: '.trivyignore' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-fs-results.sarif' | |
| - name: Upload filesystem scan results as artifact | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| if: always() | |
| with: | |
| name: trivy-fs-scan-results | |
| path: trivy-fs-results.sarif | |
| trivy-java-scan: | |
| name: Trivy Java Dependencies Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Set up JDK for running Gradle | |
| uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 | |
| with: | |
| distribution: temurin | |
| java-version: 17 | |
| - name: Set up gradle | |
| uses: gradle/actions/setup-gradle@ac638b010cf58a27ee6c972d7336334ccaf61c96 # v4.4.1 | |
| with: | |
| cache-read-only: ${{ github.event_name == 'pull_request' }} | |
| - name: Build project | |
| run: ./gradlew build -x test | |
| - name: Run Trivy vulnerability scanner for Java dependencies | |
| uses: aquasecurity/trivy-action@f781cce5aab226378ee181d764ab90ea0be3cdd8 # v0.29.0 | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| scanners: 'vuln' | |
| format: 'sarif' | |
| output: 'trivy-java-results.sarif' | |
| severity: 'CRITICAL,HIGH,MEDIUM' | |
| trivyignores: '.trivyignore' | |
| - name: Upload Java dependencies scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-java-results.sarif' | |
| - name: Upload Java scan results as artifact | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| if: always() | |
| with: | |
| name: trivy-java-scan-results | |
| path: trivy-java-results.sarif | |
| trivy-config-scan: | |
| name: Trivy Configuration Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Run Trivy configuration scanner | |
| uses: aquasecurity/trivy-action@f781cce5aab226378ee181d764ab90ea0be3cdd8 # v0.29.0 | |
| with: | |
| scan-type: 'config' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'trivy-config-results.sarif' | |
| severity: 'CRITICAL,HIGH,MEDIUM' | |
| trivyignores: '.trivyignore' | |
| - name: Upload configuration scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-config-results.sarif' | |
| - name: Upload configuration scan results as artifact | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| if: always() | |
| with: | |
| name: trivy-config-scan-results | |
| path: trivy-config-results.sarif | |
| trivy-secret-scan: | |
| name: Trivy Secret Scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Run Trivy secret scanner | |
| uses: aquasecurity/trivy-action@f781cce5aab226378ee181d764ab90ea0be3cdd8 # v0.29.0 | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| scanners: 'secret' | |
| format: 'sarif' | |
| output: 'trivy-secret-results.sarif' | |
| trivyignores: '.trivyignore' | |
| - name: Upload secret scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@4f3212b61783c3c68e8309a0f18a699764811cda # v3.27.1 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-secret-results.sarif' | |
| - name: Upload secret scan results as artifact | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| if: always() | |
| with: | |
| name: trivy-secret-scan-results | |
| path: trivy-secret-results.sarif | |
| workflow-notification: | |
| permissions: | |
| contents: read | |
| issues: write | |
| needs: | |
| - trivy-fs-scan | |
| - trivy-java-scan | |
| - trivy-config-scan | |
| - trivy-secret-scan | |
| if: always() | |
| uses: ./.github/workflows/reusable-workflow-notification.yml | |
| with: | |
| success: ${{ !contains(needs.*.result, 'failure') }} |