Skip to content

Allow manual runs of the security check (#233) #30

Allow manual runs of the security check (#233)

Allow manual runs of the security check (#233) #30

Workflow file for this run

---
name: security
# We don't scan documentation-only commits.
on: # yamllint disable-line rule:truthy
workflow_dispatch: # trigger ad-hoc runs of this action
push: # non-tagged pushes to master
branches:
- master
tags-ignore:
- '*'
paths-ignore:
- '**/*.md'
- './build-bin/*lint'
- ./build-bin/mlc_config.json
pull_request: # pull requests targeted at the master branch.
branches:
- master
paths-ignore:
- '**/*.md'
- './build-bin/*lint'
- ./build-bin/mlc_config.json
jobs:
security:
name: security
runs-on: ubuntu-24.04 # newest available distribution, aka numbat
# skip commits made by the release plugin
if: "!contains(github.event.head_commit.message, 'maven-release-plugin')"
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- uses: actions/cache@v4
name: Cache Trivy Database
with:
path: .trivy
key: ${{ runner.os }}-trivy
restore-keys: ${{ runner.os }}-trivy
- name: Run Trivy vulnerability and secret scanner
uses: aquasecurity/trivy-action@master
id: trivy
env: # See https://github.com/aquasecurity/trivy/discussions/7668
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
with:
scan-type: 'fs'
scan-ref: '.' # scan the entire repository
scanners: vuln,secret
exit-code: '1'
severity: HIGH,CRITICAL
output: trivy-report.md
cache-dir: .trivy
- name: Set Summary
shell: bash
if: ${{ failure() && steps.trivy.conclusion == 'failure' }}
# Add the Trivy report to the summary
#
# Note: This will cause a workflow error if trivy-report.md > the step
# limit 1MiB. If this was due to too many CVEs, consider fixing them ;)
run: cat trivy-report.md >> $GITHUB_STEP_SUMMARY