summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authornico <[email protected]>2023-11-05 14:00:24 +0000
committerGitHub <[email protected]>2023-11-05 15:00:24 +0100
commit512b3b9b7cdea6ba369f708fcce583ee81dbccda (patch)
tree5c00994e32129693ff6820c49e361f4ff64f96f4
parent93da5091e6e0c40b43ad75c4c85651835b0bac44 (diff)
downloadvaultwarden-512b3b9b7cdea6ba369f708fcce583ee81dbccda.tar.gz
vaultwarden-512b3b9b7cdea6ba369f708fcce583ee81dbccda.zip
ci: add trivy workflow (#3997)
* ci: add trivy workflow to ensure critical and high vulnerabilties are detected quickly * push trivy-action to 0.13.1
-rw-r--r--.github/workflows/trivy.yml43
1 files changed, 43 insertions, 0 deletions
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
new file mode 100644
index 00000000..777fefe5
--- /dev/null
+++ b/.github/workflows/trivy.yml
@@ -0,0 +1,43 @@
+name: trivy
+
+on:
+ push:
+ branches:
+ - main
+ - release-build-revision
+ tags:
+ - '*'
+ pull_request:
+ branches: [ "main" ]
+ schedule:
+ - cron: '00 12 * * *'
+
+permissions:
+ contents: read
+
+jobs:
+ trivy-scan:
+ name: Check
+ runs-on: ubuntu-22.04
+ timeout-minutes: 30
+ permissions:
+ contents: read
+ security-events: write
+ actions: read
+ steps:
+ - name: Checkout code
+ uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1
+
+ - name: Run Trivy vulnerability scanner
+ uses: aquasecurity/trivy-action@f78e9ecf42a1271402d4f484518b9313235990e1 # v0.13.1
+ with:
+ scan-type: repo
+ ignore-unfixed: true
+ format: sarif
+ output: trivy-results.sarif
+ severity: CRITICAL,HIGH
+
+ - name: Upload Trivy scan results to GitHub Security tab
+ uses: github/codeql-action/upload-sarif@bad341350a2f5616f9e048e51360cedc49181ce8 # v2.22.4
+ with:
+ sarif_file: 'trivy-results.sarif'