Skip to content

security

security #110

Workflow file for this run

name: security
on:
workflow_dispatch:
schedule:
- cron: "0 21 * * FRI"
permissions:
contents: read
security-events: write
jobs:
trivy:
runs-on: ubuntu-latest
steps:
- name: Get tag for latest release
id: get_latest_release
run: |
latest_release_tag="$(gh api repos/${GH_REPO}/releases/latest --jq '.tag_name')"
if [[ -n $latest_release_tag ]]; then
echo "::debug::Tag for latest release is - $latest_release_tag"
echo "TAG_NAME=$latest_release_tag" >> "$GITHUB_OUTPUT"
else
echo "::error::Failed to get tag for latest release($latest_release_tag)"
exit 1
fi
env:
GH_REPO: ${{ github.repository }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Checkout latest tag
uses: actions/checkout@v3
with:
ref: ${{ steps.get_latest_release.outputs.TAG_NAME }}
- uses: actions/cache@v3
with:
path: .trivy
key: ${{ runner.os }}-trivy-${{ github.run_id }}
restore-keys: |
${{ runner.os }}-trivy-
- name: Run Trivy vulnerability scanner
id: trivy
uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54
with:
scan-type: 'image'
vuln-type: os
severity: HIGH,CRITICAL
ignore-unfixed: true
image-ref: 'ghcr.io/tprasadtp/protonwire:latest'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
if: github.ref == 'refs/heads/master' && always()
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'