Skip to content

Use the upstream Trivy action to scan licenses #4012

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 9, 2024
Merged

Use the upstream Trivy action to scan licenses #4012

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b7df80b
Use the upstream Trivy action to scan licenses
cbandy Oct 9, 2024
0b93eff
Pin Trivy action to its latest tagged release, 0.26.0
cbandy Oct 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 9 additions & 25 deletions .github/workflows/trivy.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,31 +19,15 @@ jobs:
with: { go-version: stable }
- run: go mod download

# Login to the GitHub Packages registry to avoid rate limiting.
# - https://aquasecurity.github.io/trivy/v0.55/docs/references/troubleshooting/#github-rate-limiting
# - https://github.com/aquasecurity/trivy/issues/7580
# - https://github.com/aquasecurity/trivy-action/issues/389
# - https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry
# - https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions
- name: Login to GitHub Packages
run: >
docker login ghcr.io
--username '${{ github.actor }}'
--password-stdin <<< '${{ secrets.GITHUB_TOKEN }}'

# Report success only when detected licenses are listed in [/trivy.yaml].
# The "aquasecurity/trivy-action" action cannot access the Go module cache,
# so run Trivy from an image with the cache and local configuration mounted.
# - https://github.com/aquasecurity/trivy-action/issues/219
# - https://github.com/aquasecurity/trivy/pkgs/container/trivy
- name: Scan licenses
run: >
docker run
--env 'DOCKER_CONFIG=/docker' --volume "${HOME}/.docker:/docker"
--env 'GOPATH=/go' --volume "$(go env GOPATH):/go"
--workdir '/mnt' --volume "$(pwd):/mnt"
'ghcr.io/aquasecurity/trivy:latest'
filesystem --debug --exit-code=1 --scanners=license .
uses: aquasecurity/[email protected]
env:
TRIVY_DEBUG: true
with:
scan-type: filesystem
scanners: license
exit-code: 1

vulnerabilities:
if: ${{ github.repository == 'CrunchyData/postgres-operator' }}
Expand All @@ -62,7 +46,7 @@ jobs:
# and is a convenience/redundant effort for those who prefer to
# read logs and/or if anything goes wrong with the upload.
- name: Log all detected vulnerabilities
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.26.0
with:
scan-type: filesystem
hide-progress: true
Expand All @@ -74,7 +58,7 @@ jobs:
# - https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github
# - https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning
- name: Report actionable vulnerabilities
uses: aquasecurity/trivy-action@master
uses: aquasecurity/trivy-action@0.26.0
with:
scan-type: filesystem
ignore-unfixed: true
Expand Down