chore(deps): Update execution environments (patch) #602
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: 'Trivy' | |
| on: # yamllint disable-line rule:truthy | |
| schedule: | |
| - cron: '43 17 * * 4' | |
| pull_request: | |
| branches: | |
| - 'main' | |
| push: | |
| branches: | |
| - 'main' | |
| workflow_dispatch: {} | |
| permissions: 'read-all' | |
| env: | |
| # gitleaks image to use to check files prior to uploading them to prevent sensitive data being leaked | |
| # yamllint disable rule:line-length | |
| # renovate image dep: | |
| gitleaks-image: 'ghcr.io/gitleaks/gitleaks:v8.19.2@sha256:7e84fe0c55c5e46b15d7137ee4531f286023dad3c696935758b010c4317ff69b' | |
| # yamllint enable rule:line-length | |
| jobs: | |
| analysis: | |
| name: 'Trivy' | |
| runs-on: 'ubuntu-22.04' | |
| permissions: | |
| security-events: 'write' | |
| steps: | |
| - name: 'Harden Runner' | |
| uses: 'step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7' # v2.10.1 | |
| with: | |
| disable-sudo: true | |
| egress-policy: 'block' | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| ghcr.io:443 | |
| github.com:443 | |
| pkg-containers.githubusercontent.com:443 | |
| - name: 'Checkout the repository' | |
| uses: 'actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332' # v4.1.7 | |
| with: | |
| persist-credentials: false | |
| - name: 'Scan repository with Trivy' | |
| uses: 'aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8' # 0.24.0 | |
| with: | |
| scan-type: 'fs' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| trivy-config: 'trivy.yaml' | |
| - name: 'Scan trivy-results.sarif to ensure it contains no secrets' | |
| shell: 'bash' | |
| run: | | |
| # fail if: | |
| # - a variable is unbound | |
| # - any command fails | |
| # - a command in a pipe fails | |
| # - a command in a sub-shell fails | |
| set -Eeuo pipefail | |
| # enable debug if runner runs in debug | |
| [[ "${{ runner.debug }}" -ne 1 ]] || { | |
| echo "INFO: Enabling bash trace"; | |
| set -x; | |
| }; | |
| docker run -v ./trivy-results.sarif:/scan "${{ env.gitleaks-image }}" detect --source "/scan" --no-git || { | |
| echo "ERROR: Secret found, failing workflow"; | |
| exit 1; | |
| }; | |
| - name: 'Upload artifact' | |
| uses: 'actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874' # v4.4.0 | |
| with: | |
| name: 'Trivy SARIF file' | |
| path: 'trivy-results.sarif' | |
| retention-days: 5 | |
| - name: 'Upload to code-scanning' | |
| uses: 'github/codeql-action/upload-sarif@8214744c546c1e5c8f03dde8fab3a7353211988d' # v3.26.7 | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| ... |