-
Notifications
You must be signed in to change notification settings - Fork 14
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Updates to Alpine 3.20.3, Java 17.0.13_p11 and latest maven deps
Signed-off-by: Adrian Cole <[email protected]>
- Loading branch information
1 parent
fd2b54a
commit 5d1f3f9
Showing
6 changed files
with
84 additions
and
25 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
--- | ||
name: security | ||
|
||
# We don't scan documentation-only commits. | ||
on: # yamllint disable-line rule:truthy | ||
push: # non-tagged pushes to master | ||
branches: | ||
- master | ||
tags-ignore: | ||
- '*' | ||
paths-ignore: | ||
- '**/*.md' | ||
- './build-bin/*lint' | ||
- ./build-bin/mlc_config.json | ||
pull_request: # pull requests targeted at the master branch. | ||
branches: | ||
- master | ||
paths-ignore: | ||
- '**/*.md' | ||
- './build-bin/*lint' | ||
- ./build-bin/mlc_config.json | ||
|
||
jobs: | ||
security: | ||
name: security | ||
runs-on: ubuntu-24.04 # newest available distribution, aka numbat | ||
# skip commits made by the release plugin | ||
if: "!contains(github.event.head_commit.message, 'maven-release-plugin')" | ||
steps: | ||
- name: Checkout Repository | ||
uses: actions/checkout@v4 | ||
- uses: actions/cache@v4 | ||
name: Cache Trivy Database | ||
with: | ||
path: .trivy | ||
key: ${{ runner.os }}-trivy | ||
restore-keys: ${{ runner.os }}-trivy | ||
- name: Run Trivy vulnerability and secret scanner | ||
uses: aquasecurity/trivy-action@master | ||
id: trivy | ||
env: # See https://github.com/aquasecurity/trivy/discussions/7668 | ||
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db | ||
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db | ||
with: | ||
scan-type: 'fs' | ||
scan-ref: '.' # scan the entire repository | ||
scanners: vuln,secret | ||
exit-code: '1' | ||
severity: HIGH,CRITICAL | ||
output: trivy-report.md | ||
cache-dir: .trivy | ||
- name: Set Summary | ||
shell: bash | ||
if: ${{ failure() && steps.trivy.conclusion == 'failure' }} | ||
# Add the Trivy report to the summary | ||
# | ||
# Note: This will cause a workflow error if trivy-report.md > the step | ||
# limit 1MiB. If this was due to too many CVEs, consider fixing them ;) | ||
run: cat trivy-report.md >> $GITHUB_STEP_SUMMARY |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters