get.porter.sh/porter@v1.3.0/.github/workflows/trivy.yaml

get.porter.sh/porter@v1.3.0/.github/workflows/trivy.yaml (about)

     1  # Scan our docker images for vulnerabilities
     2  name: Trivy
     3  on:
     4    # always do a security scan when a change is merged
     5    push:
     6      branches-ignore:
     7        # Disable running the push event for dependabot.
     8        # Dependabot pushes to branches in our repo, not in a fork. This causes the push event to trigger for dependabot PRs and the CodeQL check fails.
     9        - "dependabot/**"
    10    # Only do a security scan on a PR when there are non-doc changes to save time
    11    pull_request:
    12      paths-ignore:
    13        - 'docs/**'
    14  
    15  jobs:
    16    scan:
    17      runs-on: ubuntu-latest
    18      steps:
    19        - name: Checkout
    20          uses: actions/checkout@v3
    21          with:
    22            fetch-depth: 0 # Get all git history
    23        - name: Set up Go
    24          uses: actions/setup-go@v4
    25          with:
    26            go-version: 1.24.4
    27            cache: true
    28        - name: Configure Agent
    29          run: go run mage.go ConfigureAgent
    30        - name: Build Binaries
    31          run: mage -v XBuildAll
    32        - name: Build Docker Images
    33          run: mage -v BuildImages
    34        - name: Scan Images with Trivy
    35          uses: aquasecurity/trivy-action@master
    36          with:
    37            image-ref: "localhost:5000/porter-agent:${{ env.VERSION }}"
    38            format: sarif
    39            output: trivy-results.sarif
    40        - name: Upload Trivy scan results to GitHub Security tab
    41          uses: github/codeql-action/upload-sarif@v2
    42          with:
    43            sarif_file: trivy-results.sarif