diff --git a/.github/workflows/trivy-security-scan.yml b/.github/workflows/trivy-security-scan.yml index 09411879a6..12be79ccb4 100644 --- a/.github/workflows/trivy-security-scan.yml +++ b/.github/workflows/trivy-security-scan.yml @@ -6,11 +6,8 @@ name: trivy-security-scan on: - push: - branches: - - 'bump-trivy-fix' - # repository_dispatch: - # types: [trivy-scan-dispatch] + repository_dispatch: + types: [trivy-scan-dispatch] jobs: trivy_scan: @@ -24,53 +21,51 @@ jobs: uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 # Image availability check with retry logic - # - name: Check Docker image availability with retry - # id: check-image - # if: github.event.client_payload.image != '' - # run: | - # image="${{ github.event.client_payload.image }}" - # interval=300 - # retry_limit=5 - # attempt=0 + - name: Check Docker image availability with retry + id: check-image + if: github.event.client_payload.image != '' + run: | + image="${{ github.event.client_payload.image }}" + interval=300 + retry_limit=5 + attempt=0 - # while ! docker pull $image; do - # attempt=$((attempt + 1)) - # if [ "$attempt" -gt "$retry_limit" ]; then - # echo "::error::Image $image is not available after $retry_limit attempts." - # exit 1 - # fi + while ! docker pull $image; do + attempt=$((attempt + 1)) + if [ "$attempt" -gt "$retry_limit" ]; then + echo "::error::Image $image is not available after $retry_limit attempts." + exit 1 + fi - # echo "Waiting for $image to be available. Attempt $attempt/$retry_limit. Retrying in $interval seconds..." - # sleep $interval - # done + echo "Waiting for $image to be available. Attempt $attempt/$retry_limit. Retrying in $interval seconds..." + sleep $interval + done - # echo "Image $image is now available." + echo "Image $image is now available." # Image scanning - # - name: Run Trivy vulnerability scanner on image - # if: github.event.client_payload.image != '' - # uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 - # with: - # version: 'v0.57.2' - # image-ref: ${{ github.event.client_payload.image }} - # cache: 'true' - # format: "sarif" - # output: "trivy-image-results.sarif" - # exit-code: "1" - # ignore-unfixed: true - # vuln-type: "os,library" - # severity: "CRITICAL,HIGH" - # env: - # TRIVY_CACHE_DIR: .cache/trivy - # TRIVY_SKIP_DB_UPDATE: true - # TRIVY_SKIP_JAVA_DB_UPDATE: true + - name: Run Trivy vulnerability scanner on image + if: github.event.client_payload.image != '' + uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0 + with: + version: 'latest' + image-ref: ${{ github.event.client_payload.image }} + cache: 'true' + format: "sarif" + output: "trivy-image-results.sarif" + exit-code: "1" + ignore-unfixed: true + vuln-type: "os,library" + severity: "CRITICAL,HIGH" + env: + TRIVY_CACHE_DIR: .cache/trivy - # # Upload image scan results - # - name: Upload Trivy image scan results - # uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 - # with: - # sarif_file: "trivy-image-results.sarif" - # category: trivy-image + # Upload image scan results + - name: Upload Trivy image scan results + uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9 + with: + sarif_file: "trivy-image-results.sarif" + category: trivy-image # Filesystem scanning - name: Run Trivy filesystem scan @@ -85,8 +80,6 @@ jobs: ignore-unfixed: true env: TRIVY_CACHE_DIR: .cache/trivy - # TRIVY_SKIP_DB_UPDATE: true - # TRIVY_SKIP_JAVA_DB_UPDATE: true # Upload filesystem scan results - name: Upload Trivy filesystem scan results