We could improve the pipeline, if we fail it on new, critical / high dependency vulnerabilities.
Maybe we could:
-
Create a .trivyignore file at the root directory
-
Add a new action like this (but that might execute the scan twice)
- name: Scan Docker image with Trivy (full report)
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with:
image-ref: ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}:${{ github.sha }}
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
if: always()
with:
sarif_file: 'trivy-results.sarif'
+ - name: Fail on CRITICAL or HIGH vulnerabilities
+ uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+ with:
+ image-ref: ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}:${{ github.sha }}
+ format: 'table'
+ exit-code: '1'
+ severity: 'CRITICAL,HIGH'
+ trivyignores: '.trivyignore'Originally posted by @schwzr in #437 (comment)
We could improve the pipeline, if we fail it on
new, critical / highdependency vulnerabilities.Maybe we could:
Create a .trivyignore file at the root directory
Add a new action like this (but that might execute the scan twice)
- name: Scan Docker image with Trivy (full report) uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 with: image-ref: ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}:${{ github.sha }} format: 'sarif' output: 'trivy-results.sarif' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 if: always() with: sarif_file: 'trivy-results.sarif' + - name: Fail on CRITICAL or HIGH vulnerabilities + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + with: + image-ref: ghcr.io/${{ github.repository_owner }}/${{ matrix.image.name }}:${{ github.sha }} + format: 'table' + exit-code: '1' + severity: 'CRITICAL,HIGH' + trivyignores: '.trivyignore'Originally posted by @schwzr in #437 (comment)