Scheduled Trivy Docker image scan #62

Workflow file for this run

.github/workflows/trivy-docker-image-scan.yml at e12c69d

	#
	# SPDX-FileCopyrightText: 2024 Lifely
	# SPDX-License-Identifier: EUPL-1.2+
	#
	name: Scheduled Trivy Docker image scan

	on:
	schedule:
	- cron: "0 3 * * 1-5"
	workflow_dispatch:

	env:
	ZAC_IMAGE_URL: 'ghcr.io/infonl/zaakafhandelcomponent:latest'

	permissions:
	security-events: write

	jobs:
	build:
	name: Run Trivy Docker image scan
	runs-on: ubuntu-22.04
	steps:
	- name: Pull Docker Image
	run: docker pull ${{ env.ZAC_IMAGE_URL }}

	- name: Run Trivy Vulnerability Scanner
	uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
	with:
	image-ref: ${{ env.ZAC_IMAGE_URL }}
	format: 'sarif'
	output: 'trivy-results.sarif'
	# limit the severities even when using Sarif
	# or else all vulnerabilities will be reported
	limit-severities-for-sarif: true
	severity: 'CRITICAL,HIGH'
	env:
	# skip downloading the Trivy databases since we update the Trivy cache regularly
	# in another workflow
	TRIVY_SKIP_DB_UPDATE: true
	TRIVY_SKIP_JAVA_DB_UPDATE: true

	- name: Upload Trivy Scan Results to GitHub Security Tab
	uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
	with:
	sarif_file: 'trivy-results.sarif'

	- name: Run Snyk to check Docker image for vulnerabilities
	continue-on-error: true
	uses: snyk/actions/docker@cdb760004ba9ea4d525f2e043745dfe85bb9077e # master
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	with:
	sarif: true
	image: ${{ env.ZAC_IMAGE_URL }}
	args: --sarif --sarif-file-output=snyk-docker.sarif

	- name: Upload Snyk Scan Results to GitHub Security Tab
	uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
	with:
	sarif_file: 'snyk-docker.sarif'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Scheduled Trivy Docker image scan #62

Workflow file

Scheduled Trivy Docker image scan #62

Jobs

Run details

Workflow file for this run