Trivy Scanner - Container Images #874

Workflow file for this run

.github/workflows/trivy-containers.yaml at a24e2ad

	name: Trivy Scanner - Container Images
	on:
	push:
	branches:
	- master
	schedule:
	- cron: '0 /24 * *'

	jobs:
	build-matrix:
	runs-on: ubuntu-latest
	outputs:
	images: ${{ steps.set-matrix.outputs.result }}

	steps:
	- name: Checkout code
	uses: actions/checkout@v4

	- id: set-matrix
	uses: mikefarah/yq@master
	with:
	# Dynamically build the matrix of images to scan
	cmd: "yq '[{\"repository\": .image.repository, \"tag\": \"v'$(yq '.appVersion' charts/aws-ebs-csi-driver/Chart.yaml)'\"}] + (.sidecars \| map(.image)) \| map(.repository + \":\" + .tag) \| . style=\"flow\"' charts/aws-ebs-csi-driver/values.yaml"

	trivy-scan:
	needs: build-matrix
	runs-on: ubuntu-latest
	strategy:
	matrix:
	image: ${{ fromJson(needs.build-matrix.outputs.images) }}

	steps:
	- name: Configure AWS Credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
	aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
	role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
	role-session-name: GitHubCI
	aws-region: us-east-1
	role-duration-seconds: 1800
	role-skip-session-tagging: true

	- name: Login to Amazon ECR Public
	uses: aws-actions/amazon-ecr-login@v2
	with:
	registry-type: public

	- name: Pull container image
	run: docker pull ${{ matrix.image }}

	- name: Scan container image
	uses: aquasecurity/trivy-action@0.16.1
	with:
	image-ref: '${{ matrix.image }}'
	output: 'results.sarif'
	format: 'sarif'
	ignore-unfixed: true
	severity: 'HIGH,CRITICAL'

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v2
	with:
	sarif_file: 'results.sarif'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Trivy Scanner - Container Images #874

Workflow file

Trivy Scanner - Container Images #874

Jobs

Run details

Workflow file for this run