From 64c2d9981a6178b7cc97c443df1e1e60d82dd1b8 Mon Sep 17 00:00:00 2001 From: AndyZiYe Date: Tue, 21 May 2024 11:02:28 +0800 Subject: [PATCH] [Tool] Trivy Pipeline Signed-off-by: AndyZiYe --- .github/workflows/.trivy.yaml | 34 ++++++++++++++++++++++++++++ .github/workflows/trivy-pipeline.yml | 29 ++++++++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 .github/workflows/.trivy.yaml create mode 100644 .github/workflows/trivy-pipeline.yml diff --git a/.github/workflows/.trivy.yaml b/.github/workflows/.trivy.yaml new file mode 100644 index 0000000000000..47f8a6a49ee03 --- /dev/null +++ b/.github/workflows/.trivy.yaml @@ -0,0 +1,34 @@ +# Same as '--severity' +# Default is all severities +severity: + - HIGH + - CRITICAL + +scan: + # Same as '--security-checks' + # Default depends on subcommand + security-checks: + - vuln + +vulnerability: + # Same as '--vuln-type' + # Default is 'os,library' + type: + - library + +# Same as '--format' +format: sarif + +# Same as '--output' +# Used to upload sarif to GitHub Security tab +output: trivy-results.sarif + +# Same as '--ignore-unfixed' +ignore-unfixed: false + +# Same as '--list-all-pkgs' +list-all-pkgs: false + +# Same as '--exit-code' +# Zero as we are only reporting for now, not enforcing +exit-code: 0 \ No newline at end of file diff --git a/.github/workflows/trivy-pipeline.yml b/.github/workflows/trivy-pipeline.yml new file mode 100644 index 0000000000000..7227acfccadb5 --- /dev/null +++ b/.github/workflows/trivy-pipeline.yml @@ -0,0 +1,29 @@ +name: TRIVY PIPELINE + +on: + pull_request: + types: + - opened + - synchronize + + branches: + - trivy-test + - main + +concurrency: + group: ${{ github.event.number }} + cancel-in-progress: true + +jobs: + trivy-checker: + runs-on: [self-hosted, normal] + name: RUN + steps: + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 #0.19.0 + env: + TMPDIR: ${{ github.workspace }}/trivy_temp # Required to prevent Trivy running out of space + with: + image-ref: "registry.cn-zhangjiakou.aliyuncs.com/starrocks/dev-env-centos7:3.1-latest" + scan-type: "image" + trivy-config: ".trivy.yaml"