topaLE
/
vaultwarden
mirror of https://github.com/dani-garcia/vaultwarden
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Merge pull request #7 from kalvinparker/chore/consolidate-workflows 

chore(ci): consolidate Trivy workflows into ci.yml
pull/6721/head
kalvinparker 2 months ago
committed by GitHub
parent
c8cf780c5f 3863c1bcb2
commit
3feee4758b
No known key found for this signature in database GPG Key ID: B5690EEEBB952194
2 changed files with 14 additions and 59 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 22
      .github/workflows/ci.yml
  2. 51
      .github/workflows/trivy.yml

22
.github/workflows/ci.yml
View File

@ -1,26 +1,32 @@
name: Automated Security Gates name: Consolidated CI - Repo Trivy Scan
on: on:
push: push:
branches: [ main, master ] branches: [ main, master ]
pull_request: pull_request:
branches: [ main, master ] branches: [ main, master ]
schedule:
- cron: '0 4 * * *'
permissions:
contents: read
security-events: write
jobs: jobs:
build-and-scan: trivy-scan:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout Code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Automated Vulnerability Scan (Trivy) - name: Run Trivy vulnerability scanner (repo)
uses: aquasecurity/trivy-action@0.33.1 uses: aquasecurity/trivy-action@0.33.1
with: with:
scan-type: 'fs' scan-type: repo
ignore-unfixed: true ignore-unfixed: true
format: 'sarif' format: sarif
output: 'trivy-results.sarif' output: trivy-results.sarif
exit-code: '1' severity: CRITICAL,HIGH
- name: Upload SARIF results to GitHub Code Scanning - name: Upload SARIF results to GitHub Code Scanning
uses: github/code-scanning-action/upload-sarif@v2 uses: github/code-scanning-action/upload-sarif@v2

51
.github/workflows/trivy.yml
View File

@ -1,51 +0,0 @@
name: Trivy
permissions: {}
on:
push:
branches:
- main
tags:
- '*'
pull_request:
branches:
- main
schedule:
- cron: '08 11 * * *'
jobs:
trivy-scan:
# Only run this in the upstream repo and not on forks
# When all forks run this at the same time, it is causing `Too Many Requests` issues
if: ${{ github.repository == 'dani-garcia/vaultwarden' }}
name: Trivy Scan
permissions:
security-events: write # To write the security report
runs-on: ubuntu-24.04
timeout-minutes: 30
steps:
- name: Checkout code
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
with:
persist-credentials: false
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
env:
TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2
TRIVY_JAVA_DB_REPOSITORY: docker.io/aquasec/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1
with:
scan-type: repo
ignore-unfixed: true
format: sarif
output: trivy-results.sarif
severity: CRITICAL,HIGH
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
with:
sarif_file: 'trivy-results.sarif'
Write Preview
Loading…
Cancel
Save