Skip to content

Trivy Scan Images

Trivy Scan Images #655

name: Trivy Scan Images
on:
push:
workflow_dispatch:
# Run Trivy Scan every week day
schedule:
- cron: '0 7 * * 1-5'
env:
REGISTRY: ghcr.io
jobs:
trivy_scan_latest:
name: Trivy-Scan
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
dockerfile-dir:
- hmpps-devops-tools
- hmpps-mssql-tools
- hmpps-mysql-tools
- hmpps-clamav
- hmpps-wiremock
- hmpps-localstack
permissions:
packages: write
contents: read
security-events: write
steps:
# Need to checkout the repo to get the .trivyignore file
- name: Check out the repo
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner (table output)
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.dockerfile-dir }}:latest
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
scanners: 'vuln'
severity: 'CRITICAL,HIGH'
#trivyignores: '${{ matrix.dockerfile-dir }}/.trivyignore'
timeout: 15m
- name: Slack notification
id: slack
if: ${{ failure() }}
uses: slackapi/[email protected]
with:
channel-id: 'hmpps-sre-alerts-nonprod'
slack-message: "_Job:_ ${{ github.job }}\n_Status:_ ${{ job.status }}\n_Workflow:_ ${{ github.workflow }}\n_Repo:_ ${{ github.repository }}\n<https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}|View on github>\n"
env:
SLACK_BOT_TOKEN: ${{ secrets.HMPPS_SLACK_BOT_TOKEN }}
- name: Run Trivy vulnerability scanner (sarif output)
if: always()
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.dockerfile-dir }}:latest
ignore-unfixed: true
vuln-type: 'os,library'
scanners: 'vuln'
severity: 'CRITICAL,HIGH'
exit-code: '1'
format: 'sarif'
output: '${{ matrix.dockerfile-dir }}/trivy-results.sarif'
#trivyignores: '${{ matrix.dockerfile-dir }}/.trivyignore'
limit-severities-for-sarif: true
timeout: 15m
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: '${{ matrix.dockerfile-dir }}/trivy-results.sarif'