Skip to content
Trivy Nightly Scan

Trivy Nightly Scan #180

Sign in to view logs

Trivy Nightly Scan

Trivy Nightly Scan #180

Workflow file for this run

.github/workflows/trivy.yml at e461b4c
name: Trivy Nightly Scan
on:
workflow_dispatch:
schedule:
- cron: '0 0 * * *' # This runs the workflow every night at midnight UTC
jobs:
build:
if: github.event.pull_request.draft == false
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-22.04
timeout-minutes: 15
env:
TRIVY_DB_REPOSITORY: 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db'
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Install Trivy
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin
- name: Run Trivy code vulnerability scanner (JSON Output)
run: |
trivy --quiet fs \
--format json \
--output trivy-code-results.json \
--ignore-unfixed \
--vuln-type os,library \
--severity CRITICAL,HIGH,MEDIUM \
.
- name: Display Trivy code Scan Results
if: failure() # Ensure this step runs regardless of the previous step's outcome
run: |
echo "Trivy Scan Results:"
cat trivy-code-results.json | jq '.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities[] | {VulnerabilityID, PkgName, InstalledVersion, Severity, Description}'
- name: Upload Code Vulnerability Scan Results
uses: actions/upload-artifact@v4
with:
name: trivy-code-report-json
path: trivy-code-results.json
- name: Build an image from Dockerfile
run: |
docker build --pull -t docker.io/securefederatedai/openfl:${{ github.sha }} -f openfl-docker/Dockerfile.base .
- name: Run Trivy vulnerability scanner for Docker image (JSON Output)
id: trivy-scan
uses: aquasecurity/[email protected]
with:
image-ref: 'docker.io/securefederatedai/openfl:${{ github.sha }}'
format: 'json'
output: 'trivy-docker-results.json'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH,MEDIUM'
trivyignores: '.trivyignore'
- name: Display Trivy Docker Scan Results
if: failure() # Ensure this step runs regardless of the previous step's outcome
run: |
if [ -s trivy-docker-results.json ]; then
echo "Trivy Scan Results:"
cat trivy-docker-results.json | jq '.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities[] | {VulnerabilityID, PkgName, InstalledVersion, Severity, Description}'
else
echo "Trivy scan results file is empty or not found."
fi
- name: Upload final Trivy Docker Vulnerability Scan
uses: actions/upload-artifact@v4
with:
name: trivy-docker-report-json
path: trivy-docker-results.json
- name: Run Trivy code vulnerability scanner (SPDX-JSON Output)
run: |
trivy --quiet fs \
--format spdx-json \
--output trivy-code-spdx-results.json \
--ignore-unfixed \
--vuln-type os,library \
--severity CRITICAL,HIGH,MEDIUM \
.
- name: Upload SPDX Code Vulnerability Scan Results
uses: actions/upload-artifact@v4
with:
name: trivy-code-spdx-report-json
path: trivy-code-spdx-results.json
- name: Run Trivy vulnerability scanner for Docker image (SPDX-JSON Output)
uses: aquasecurity/[email protected]
with:
image-ref: 'docker.io/securefederatedai/openfl:${{ github.sha }}'
format: 'spdx-json'
output: 'trivy-docker-spdx-results.json'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH,MEDIUM'
trivyignores: '.trivyignore'
- name: Upload SPDX Docker Vulnerability Scan
uses: actions/upload-artifact@v4
with:
name: trivy-docker-spdx-report-json
path: trivy-docker-spdx-results.json