1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
# Copyright 2024-2025, Intel Corporation
# SPDX-License-Identifier: BSD-3-Clause
# Runs linter for Docker files
name: Trivy
permissions: read-all
on:
workflow_dispatch:
push:
pull_request:
paths:
- '**/Dockerfile'
- '.github/workflows/trivy.yml'
- '.trivyignore'
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
linux:
name: Trivy
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Clone the git repo
uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
- name: Run Trivy
uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0
with:
scan-type: 'config'
hide-progress: false
format: 'sarif'
output: 'trivy-results.sarif'
trivyignores: '.trivyignore'
# Skip released versions before v1.25.0
skip-dirs: 'docker/v1.24.0,docker/v1.23.0,docker/v1.22.0,docker/v1.21.0,docker/v1.20.0,docker/v1.19.0,docker/v1.18.0,docker/v1.17.0,docker/v1.16.0,docker/v1.15.0,docker/v1.14.1,docker/v1.14.0,docker/v1.13.0,docker/v1.12.0,docker/v1.11.0,docker/v1.10.0,docker/v1.9.2,docker/v1.9.1'
- name: Print report
run: |
echo "### Trivy report:"
cat trivy-results.sarif
- name: Upload Trivy results to Github Security tab
uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # v3.29.0
with:
sarif_file: 'trivy-results.sarif'
- name: Upload Trivy results
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: trivy-results.sarif
path: trivy-results.sarif
|
