Skip to content

Commit

Permalink
remove skip DB update env, and use 'latest' release
Browse files Browse the repository at this point in the history
  • Loading branch information
DaMandal0rian committed Dec 21, 2024
1 parent 03fe665 commit 7c33ab2
Showing 1 changed file with 41 additions and 48 deletions.
89 changes: 41 additions & 48 deletions .github/workflows/trivy-security-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,8 @@
name: trivy-security-scan

on:
push:
branches:
- 'bump-trivy-fix'
# repository_dispatch:
# types: [trivy-scan-dispatch]
repository_dispatch:
types: [trivy-scan-dispatch]

jobs:
trivy_scan:
Expand All @@ -24,53 +21,51 @@ jobs:
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

# Image availability check with retry logic
# - name: Check Docker image availability with retry
# id: check-image
# if: github.event.client_payload.image != ''
# run: |
# image="${{ github.event.client_payload.image }}"
# interval=300
# retry_limit=5
# attempt=0
- name: Check Docker image availability with retry
id: check-image
if: github.event.client_payload.image != ''
run: |
image="${{ github.event.client_payload.image }}"
interval=300
retry_limit=5
attempt=0
# while ! docker pull $image; do
# attempt=$((attempt + 1))
# if [ "$attempt" -gt "$retry_limit" ]; then
# echo "::error::Image $image is not available after $retry_limit attempts."
# exit 1
# fi
while ! docker pull $image; do
attempt=$((attempt + 1))
if [ "$attempt" -gt "$retry_limit" ]; then
echo "::error::Image $image is not available after $retry_limit attempts."
exit 1
fi
# echo "Waiting for $image to be available. Attempt $attempt/$retry_limit. Retrying in $interval seconds..."
# sleep $interval
# done
echo "Waiting for $image to be available. Attempt $attempt/$retry_limit. Retrying in $interval seconds..."
sleep $interval
done
# echo "Image $image is now available."
echo "Image $image is now available."
# Image scanning
# - name: Run Trivy vulnerability scanner on image
# if: github.event.client_payload.image != ''
# uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
# with:
# version: 'v0.57.2'
# image-ref: ${{ github.event.client_payload.image }}
# cache: 'true'
# format: "sarif"
# output: "trivy-image-results.sarif"
# exit-code: "1"
# ignore-unfixed: true
# vuln-type: "os,library"
# severity: "CRITICAL,HIGH"
# env:
# TRIVY_CACHE_DIR: .cache/trivy
# TRIVY_SKIP_DB_UPDATE: true
# TRIVY_SKIP_JAVA_DB_UPDATE: true
- name: Run Trivy vulnerability scanner on image
if: github.event.client_payload.image != ''
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
with:
version: 'latest'
image-ref: ${{ github.event.client_payload.image }}
cache: 'true'
format: "sarif"
output: "trivy-image-results.sarif"
exit-code: "1"
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
env:
TRIVY_CACHE_DIR: .cache/trivy

# # Upload image scan results
# - name: Upload Trivy image scan results
# uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
# with:
# sarif_file: "trivy-image-results.sarif"
# category: trivy-image
# Upload image scan results
- name: Upload Trivy image scan results
uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
with:
sarif_file: "trivy-image-results.sarif"
category: trivy-image

# Filesystem scanning
- name: Run Trivy filesystem scan
Expand All @@ -85,8 +80,6 @@ jobs:
ignore-unfixed: true
env:
TRIVY_CACHE_DIR: .cache/trivy
# TRIVY_SKIP_DB_UPDATE: true
# TRIVY_SKIP_JAVA_DB_UPDATE: true

# Upload filesystem scan results
- name: Upload Trivy filesystem scan results
Expand Down

0 comments on commit 7c33ab2

Please sign in to comment.