Skip to content

Add Trivy misconfig scan to CI #4

Add Trivy misconfig scan to CI

Add Trivy misconfig scan to CI #4

Workflow file for this run

name: Helm CI
on:
push:
branches:
- main
paths:
- .github/workflows/**
- charts/**
pull_request:
branches:
- main
paths:
- .github/workflows/**
- charts/**
permissions: { }
jobs:
lint:
name: Lint
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Checkout Repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
with:
fetch-depth: "0"
- name: Set up Helm
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # tag=v3.5
- name: Set up Python
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # tag=v5.0.0
with:
python-version: "3.11"
check-latest: true
- name: Set up Chart Testing
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # tag=v2.6.1
- name: Lint Chart
run: ct lint --config ct.yaml
- name: Scan for Misconfiguration
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # tag=v0.19.0
with:
scan-type: config
format: sarif
output: misconfig.sarif
severity: "MEDIUM,HIGH,CRITICAL"
exit-code: 1
- name: Upload Misconfiguration Scan Results
uses: github/codeql-action/upload-sarif@956f09c2ef1926b580554b9014cfb8a51abf89dd # tag=codeql-bundle-v2.16.6
with:
sarif_file: misconfig.sarif
test:
name: Test
runs-on: ubuntu-latest
timeout-minutes: 15
steps:
- name: Checkout Repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # tag=v4.1.1
with:
fetch-depth: "0"
- name: Set up Helm
uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # tag=v3.5
- name: Set up Python
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # tag=v5.0.0
with:
python-version: "3.11"
check-latest: true
- name: Set up Chart Testing
uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # tag=v2.6.1
- name: Create Kind Cluster
uses: helm/kind-action@dda0770415bac9fc20092cacbc54aa298604d140 # tag=v1.8.0
- name: Test
run: ct install --config ct.yaml --debug