Skip to content

Commit c1f9c44

Browse files
jreynard-codejreynard-code
committed
Change Scan container image GA
Use Trivy action instead of archived Azure/container-scan GA
1 parent 6420a34 commit c1f9c44

File tree

1 file changed

+18
-18
lines changed

1 file changed

+18
-18
lines changed

.github/workflows/build_test_package.yml

Lines changed: 18 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -738,36 +738,36 @@ jobs:
738738
:cosmotech-api:jibDockerBuild
739739
-Djib.to.image=com.cosmotech/cosmotech-api:${{ github.sha }}
740740
741-
- name: Scan Container Image
741+
- name: Run Trivy vulnerability scanner
742+
uses: aquasecurity/[email protected]
742743
id: scan
743-
# TODO For now, do not block if the container scan action returns issues
744-
continue-on-error: true
745-
uses: Azure/[email protected]
746-
with:
747-
image-name: com.cosmotech/cosmotech-api:${{ github.sha }}
744+
# Add TRIVY_DB_REPOSITORY due to ratelimit issue
745+
# https://github.com/aquasecurity/trivy-action/issues/389
748746
env:
749747
DOCKLE_HOST: "unix:///var/run/docker.sock"
748+
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
749+
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
750+
751+
# TODO For now, do not block if the container scan action returns issues
752+
continue-on-error: true
750753

751-
- name: Convert Container Scan Report to SARIF
752-
id: scan-to-sarif
753-
uses: rm3l/[email protected]
754-
if: ${{ always() }}
755754
with:
756-
input-file: ${{ steps.scan.outputs.scan-report-path }}
755+
image-ref: com.cosmotech/cosmotech-api:${{ github.sha }}
756+
format: "sarif"
757+
severity: "CRITICAL,HIGH"
758+
output: "trivy-results.sarif"
757759

758-
- name: Upload SARIF reports to GitHub Security tab
759-
uses: github/codeql-action/upload-sarif@v2
760-
if: ${{ always() }}
760+
- name: Upload Trivy scan results to GitHub Security tab
761+
uses: github/codeql-action/upload-sarif@v3
761762
with:
762-
sarif_file: ${{ steps.scan-to-sarif.outputs.sarif-report-path }}
763+
sarif_file: "trivy-results.sarif"
763764

764765
- name: Archive container image scan report
765766
if: ${{ always() }}
766-
continue-on-error: true
767-
uses: actions/upload-artifact@v3
767+
uses: actions/upload-artifact@v4
768768
with:
769769
name: container-image-scan-report
770-
path: ${{ steps.scan.outputs.scan-report-path }}
770+
path: "trivy-results.sarif"
771771
retention-days: 3
772772

773773
- name: Login to GitHub Container Registry

0 commit comments

Comments
 (0)