Skip to content

Trivy scan for release branches #669

Trivy scan for release branches

Trivy scan for release branches #669

Workflow file for this run

name: Trivy
on:
pull_request:
# schedule:
# - cron: '0 10 * * *'
# push:
# branches:
# - main
# - 'v[0-9]+.[0-9]+'
# - '[0-9]+.[0-9]+'
# tags:
# - 'v[0-9]+.[0-9]+'
jobs:
prepare:
runs-on: ubuntu-latest
steps:
- name: Checking out repo
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: create branches to test
run: |
BRANCHES=$(git branch -r | grep -E '(v[0-9]+.[0-9]+)|(release-[0-9]+.[0-9]+)|([0-9]+.[0-9]+$)' | sed -e 's#^ origin/##' | jq -R -s -c 'split("\n")[:-1]')
echo "test"
echo "name=BRANCHES::$(echo $BRANCHES)" >> $GITHUB_OUTPUT
- name: list branches to test
run: |
echo ${{ env.BRANCHES }}
# scan:
# runs-on: ubuntu-latest
# strategy:
# matrix:
# branch: [master]
# permissions:
# security-events: write
# steps:
# - name: Checking out repo
# uses: actions/checkout@v4
# with:
# ref: ${{ matrix.branch }}
# - name: Run Trivy vulnerability scanner in repo mode
# uses: aquasecurity/trivy-action@0.28.0
# with:
# scan-type: "fs"
# ignore-unfixed: true
# format: "sarif"
# output: "output.sarif"
# severity: "MEDIUM,HIGH,CRITICAL"
# env:
# TRIVY_DB-REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db"
# - name: Get commit sha
# run: |
# SHA="$(git rev-parse HEAD)"
# echo "head_sha=$SHA" >> "$GITHUB_ENV"
# - name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v3
# with:
# sarif_file: "output.sarif"
# sha: ${{ env.head_sha }}
# ref: refs/heads/${{ matrix.branch }}