mirror of
https://github.com/appleboy/drone-ssh.git
synced 2026-06-14 05:12:39 +08:00
Bo-Yi Wu
a0516e06f2
- bump actions/checkout to v6 - bump actions/setup-go to v6 - bump actions/cache to v5 - bump goreleaser/goreleaser-action to v7 - bump golangci/golangci-lint-action to v9 - bump github/codeql-action/* to v4 - bump codecov/codecov-action to v5 - bump docker/build-push-action to v7 - bump docker/login-action to v4 - bump docker/metadata-action to v6 - bump docker/setup-buildx-action to v4 - bump docker/setup-qemu-action to v4 - bump hadolint/hadolint-action to v3.3.0 - bump aquasecurity/trivy-action to v0.35.0
86 lines
2.1 KiB
YAML
86 lines
2.1 KiB
YAML
name: Trivy Security Scan
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- master
|
|
pull_request:
|
|
branches:
|
|
- master
|
|
schedule:
|
|
# Run daily at 00:00 UTC
|
|
- cron: "0 0 * * *"
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: read
|
|
security-events: write
|
|
|
|
jobs:
|
|
trivy-repo-scan:
|
|
name: Trivy Repository Scan
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v6
|
|
|
|
- name: Run Trivy vulnerability scanner (repo)
|
|
uses: aquasecurity/trivy-action@v0.35.0
|
|
with:
|
|
scan-type: "fs"
|
|
scan-ref: "."
|
|
format: "sarif"
|
|
output: "trivy-repo-results.sarif"
|
|
severity: "CRITICAL,HIGH"
|
|
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v4
|
|
if: always()
|
|
with:
|
|
sarif_file: "trivy-repo-results.sarif"
|
|
|
|
trivy-image-scan:
|
|
name: Trivy Image Scan
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v6
|
|
|
|
- name: Setup go
|
|
uses: actions/setup-go@v6
|
|
with:
|
|
go-version-file: go.mod
|
|
check-latest: true
|
|
|
|
- name: Build binary
|
|
run: |
|
|
make build_linux_amd64
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v4
|
|
|
|
- name: Build Docker image for scanning
|
|
uses: docker/build-push-action@v7
|
|
with:
|
|
context: .
|
|
file: docker/Dockerfile
|
|
platforms: linux/amd64
|
|
push: false
|
|
load: true
|
|
tags: drone-ssh:scan
|
|
|
|
- name: Run Trivy vulnerability scanner (image)
|
|
uses: aquasecurity/trivy-action@v0.35.0
|
|
with:
|
|
image-ref: "drone-ssh:scan"
|
|
format: "sarif"
|
|
output: "trivy-image-results.sarif"
|
|
severity: "CRITICAL,HIGH"
|
|
|
|
- name: Upload Trivy image scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v4
|
|
if: always()
|
|
with:
|
|
sarif_file: "trivy-image-results.sarif"
|
|
category: "trivy-image"
|