Skip to content

Commit

Permalink
Change trivy setup
Browse files Browse the repository at this point in the history
  • Loading branch information
berrydenhartog committed May 16, 2024
1 parent 8e5e53e commit 13e7813
Show file tree
Hide file tree
Showing 4 changed files with 38 additions and 738 deletions.
60 changes: 27 additions & 33 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,42 +48,14 @@ jobs:
steps:
- uses: actions/checkout@v4

- name: Install poetry
run: pipx install poetry

- name: Set up Python ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
cache: "poetry"

- name: Install dependencies
run: poetry install

- name: Generate SBOM
run: poetry run cyclonedx-py poetry --without test,dev > sbom.json

- name: Generate licenses file
run: |
poetry run pip-licenses --order=license --format=json --with-description > licenses.txt
- name: Upload SBOM and licenses
uses: actions/upload-artifact@v4
with:
name: sbom-licenses-${{ github.sha }}.json
path: |
sbom.json
licenses.txt
if-no-files-found: error
overwrite: true

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
trivy-config: trivy.yaml

scan-type: fs
exit-code: 1
scan-ref: '.'
## dependency-tree
test:
runs-on: ubuntu-latest
strategy:
Expand Down Expand Up @@ -186,7 +158,7 @@ jobs:
annotations: ${{ steps.meta.outputs.annotations }}
platforms: linux/amd64,linux/arm64,darwin/amd64

- name: Run Trivy vulnerability scanner
- name: Run Trivy vulnerability scanner sarif
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.meta.outputs.tags }}
Expand All @@ -204,6 +176,28 @@ jobs:
with:
sarif_file: 'trivy-results.sarif'

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.meta.outputs.tags }}
trivy-config: trivy.yaml
scan-type: image
exit-code: 0
format: 'cyclonedx'
output: 'trivy-sbom.json'
env:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

- name: Upload SBOM
uses: actions/upload-artifact@v4
with:
name: sbom-${{ github.sha }}.json
path: |
trivy-sbom.json
if-no-files-found: error
overwrite: true

notifyMattermost:
runs-on: ubuntu-latest
needs: [lint, security, test, build ]
Expand Down
Loading

0 comments on commit 13e7813

Please sign in to comment.