trivy action pipeline fix 2

siddhantprateek · Feb 23, 2024 · a94456b · a94456b
1 parent 27cff7a
commit a94456b
Show file tree

Hide file tree

Showing 2 changed files with 92 additions and 0 deletions.
diff --git a/.github/workflows/trivy-vulnerability.yml b/.github/workflows/trivy-vulnerability.yml
@@ -32,3 +32,49 @@ jobs:
         uses: github/codeql-action/upload-sarif@v2
         with:
           sarif_file: 'trivy-results.sarif'
+
+      - name: Run Trivy vulnerability scanner - s2
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'docker.io/siddhantprateek/qdapi:${{ github.sha }}'
+          format: 'table'
+          output: 'trivy-results.txt'
+          exit-code: '0'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH,MEDIUM'
+
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v5
+        with:
+          commit-message: update vulnerability list
+          title: Update vulnerability list
+          body: Update the vulnerability list
+          branch: update-vulnerabilities
+
+
+  configuration-scanner:
+    runs-on: ubuntu-latest
+    steps:     
+      -
+        name: Checkout
+        uses: actions/checkout@v3
+      - 
+        name: Run Trivy vulnerability scanner in IaC mode
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: 'fs'
+          scanners: 'config'
+          scan-ref: './cns-website' 
+          hide-progress: false
+          format: 'sarif'
+          ignore-unfixed: true
+          exit-code: '0'
+          severity: 'CRITICAL,HIGH'
+          output: 'trivy-results.sarif'
+          trivy-config: trivy.yaml
+      - 
+        name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/trivy.yml b/trivy.yml
@@ -0,0 +1,46 @@
+# Same as '--format'
+# Default is 'table'
+format: table
+
+# Same as '--report' (available with 'trivy k8s')
+# Default is all
+report: all
+
+# Same as '--template'
+# Default is empty
+template:
+
+# Same as '--dependency-tree'
+# Default is false
+dependency-tree: false
+
+# Same as '--list-all-pkgs'
+# Default is false
+list-all-pkgs: false
+
+# Same as '--ignorefile'
+# Default is '.trivyignore'
+ignorefile: .trivyignore
+
+# Same as '--ignore-policy'
+# Default is empty
+ignore-policy:
+
+# Same as '--exit-code'
+# Default is 0
+exit-code: 0
+
+# Same as '--exit-on-eol'
+# Default is 0
+exit-on-eol: 0
+
+# Same as '--output'
+# Default is empty (stdout)
+output:
+
+# Same as '--severity'
+# Default is all severities
+severity:
+  - MEDIUM
+  - HIGH
+  - CRITICAL