Set TRIVY_DB_REPOSITORY env variable in GitHub workflow.

dbca-wa · Nov 13, 2024 · 8f84446 · 8f84446
1 parent 855500d
commit 8f84446
Showing 1 changed file with 12 additions and 9 deletions.
diff --git a/.github/workflows/image-build-scan.yml b/.github/workflows/image-build-scan.yml
@@ -5,7 +5,7 @@ on:
     # Publish `master` as `latest` image.
     branches: [master]
     # Publish 1.* and 2.* tags as releases.
-    tags: ['1.*','2.*']
+    tags: ["1.*", "2.*"]
   pull_request:
     branches: [master]
 
@@ -77,16 +77,19 @@ jobs:
       # Run vulnerability scan on built image
       #----------------------------------------------
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/[email protected]
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
         with:
-          scan-type: 'image'
-          scanners: 'vuln'
+          scan-type: "image"
+          scanners: "vuln"
           image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
-          vuln-type: 'os,library'
-          severity: 'HIGH,CRITICAL'
-          format: 'sarif'
-          output: 'trivy-results.sarif'
+          vuln-type: "os,library"
+          severity: "HIGH,CRITICAL"
+          format: "sarif"
+          output: "trivy-results.sarif"
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: 'trivy-results.sarif'
+          sarif_file: "trivy-results.sarif"