Skip to content
trivy check

Update Helm release kyverno-policies to v3 #1396

Sign in to view logs

Update Helm release kyverno-policies to v3

Update Helm release kyverno-policies to v3 #1396

Workflow file for this run

.github/workflows/trivy.yml at a59c49b
name: trivy check
env:
TRIVY_VERSION: 0.30.4
TRIVY_EXIT_CODE: 1
TRIVY_IGNORE_UNFIXED: true
TRIVY_SKIP_FILES: "k8s-the-easy-way/k8s-manifests/inspektor-gadget-all.yaml"
TRIVY_SKIP_DIRS: "tests/assets/k8s"
on:
workflow_dispatch:
pull_request:
branches:
- main
# push:
# branches-ignore:
# - main
permissions:
contents: read
jobs:
build:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
name: run trivy
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Install Trivy
run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
- name: Show version
run: trivy --version
- name: Run Scan
continue-on-error: true
run: trivy conf -f table .
# - name: Run Trivy vulnerability scanner in IaC mode
# uses: aquasecurity/trivy-action@master
# with:
# scan-type: 'config'
# hide-progress: false
# format: 'table'
# exit-code: '1'
# ignore-unfixed: true
# # severity: 'CRITICAL,HIGH'
- name: Run Scan
continue-on-error: true
run: trivy conf -f sarif --output trivy-results.sarif .
# - name: Upload output file
# if: ${{ github.actor!= 'dependabot[bot]' }}
# uses: actions/upload-artifact@v3
# with:
# name: trivy-results.sarif
# path: trivy-results.sarif
- name: Upload Trivy scan results to GitHub Security tab
if: ${{ github.actor!= 'dependabot[bot]' }}
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
category: trivy-iac