diff --git a/.github/workflows/build-snap.yml b/.github/workflows/build-snap.yml index 3f26eb88ea..ceae3acc52 100644 --- a/.github/workflows/build-snap.yml +++ b/.github/workflows/build-snap.yml @@ -210,35 +210,26 @@ jobs: with: name: microk8s.snap path: build - - name: Setup Trivy vulnerability scanner + - name: Create sarifs directory run: | mkdir -p sarifs - VER=$(curl --silent -qI https://github.com/aquasecurity/trivy/releases/latest | awk -F '/' '/^location/ {print substr($NF, 1, length($NF)-1)}'); - wget https://github.com/aquasecurity/trivy/releases/download/${VER}/trivy_${VER#v}_Linux-64bit.tar.gz - tar -zxvf ./trivy_${VER#v}_Linux-64bit.tar.gz - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@master - with: - scan-type: "fs" - ignore-unfixed: true - format: "sarif" - output: "trivy-microk8s-repo-scan--results.sarif" - severity: "CRITICAL" - - name: Gather Trivy repo scan results - run: | - cp trivy-microk8s-repo-scan--results.sarif ./sarifs/ + - name: Install Trivy vulnerability scanner + uses: aquasecurity/setup-trivy@v0.2.2 + - name: Run Trivy vulnerability scanner on codebase + run: | + trivy fs . --format sarif --severity CRITICAL > sarifs/trivy-microk8s-repo-scan--results.sarif - name: Run Trivy vulnerability scanner on images run: | for i in $(cat ./build-scripts/images.txt) ; do name=$(echo $i | awk -F ':|/' '{print $(NF-1)}') - ./trivy image $i --format sarif > sarifs/$name.sarif + trivy image $i --format sarif > sarifs/$name.sarif done - name: Run Trivy vulnerability scanner on the snap run: | cp build/microk8s.snap . unsquashfs microk8s.snap - ./trivy rootfs ./squashfs-root/ --format sarif > sarifs/snap.sarif + trivy rootfs ./squashfs-root/ --format sarif > sarifs/snap.sarif - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: "sarifs"