-
Notifications
You must be signed in to change notification settings - Fork 6.1k
feat(code-scanning): Update Trivy starter workflows #2872
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This PR updates the Trivy starter workflows for Code Scanning by introducing a new repository vulnerability scan workflow, updating the IaC scan workflow to the latest recommended examples, and deprecating the tfsec workflow.
- Adds code-scanning/trivy-vulnerability-scan.yml for repo vulnerability scanning.
- Updates code-scanning/trivy-iac-scan.yml with a more descriptive name, explicit OS version, and revised Trivy action version.
- Removes the deprecated tfsec.yml workflow.
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
File | Description |
---|---|
code-scanning/trivy-vulnerability-scan.yml | New workflow for running Trivy vulnerability scans in repository (fs) mode. |
code-scanning/trivy-iac-scan.yml | Updated workflow for running Trivy IaC scans with revised parameters and OS version. |
code-scanning/tfsec.yml | Deprecated tfsec workflow has been removed. |
Comments suppressed due to low confidence (2)
code-scanning/trivy-iac-scan.yml:6
- [nitpick] Consider verifying that including 'IaC' in the workflow name aligns with our naming convention, which generally uses only the language or platform name.
name: Trivy IaC Scan
code-scanning/trivy-iac-scan.yml:33
- Ensure that version 0.30.0 of the Trivy action has been fully verified with these workflow settings, as the action behavior and supported flags may have changed from previous versions.
uses: aquasecurity/[email protected]
Signed-off-by: simar <[email protected]>
@DanRigby I'm not sure whose the right person to ask but is it possible if we could approve and merge this if it looks good to the team? |
Description
This PR updates the Trivy workflows to the latest recommended workflow examples. Also deprecates the
tfsec
workflow as we've integrated its functionality into Trivy.Signed-off-by: Simar [email protected]
Pre-requisites
Please note that at this time we are only accepting new starter workflows for Code Scanning. Updates to existing starter workflows are fine.
Tasks
For all workflows, the workflow:
.yml
file with the language or platform as its filename, in lower, kebab-cased format (for example,docker-image.yml
). Special characters should be removed or replaced with words as appropriate (for example, "dotnet" instead of ".NET").GITHUB_TOKEN
so that the workflow runs successfully.For CI workflows, the workflow:
ci
directory.ci/properties/*.properties.json
file (for example,ci/properties/docker-publish.properties.json
).push
tobranches: [ $default-branch ]
andpull_request
tobranches: [ $default-branch ]
.release
withtypes: [ created ]
.docker-publish.yml
).For Code Scanning workflows, the workflow:
code-scanning
directory.code-scanning/properties/*.properties.json
file (for example,code-scanning/properties/codeql.properties.json
), with properties set as follows:name
: Name of the Code Scanning integration.creator
: Name of the organization/user producing the Code Scanning integration.description
: Short description of the Code Scanning integration.categories
: Array of languages supported by the Code Scanning integration.iconName
: Name of the SVG logo representing the Code Scanning integration. This SVG logo must be present in theicons
directory.push
tobranches: [ $default-branch, $protected-branches ]
andpull_request
tobranches: [ $default-branch ]
. We also recommend aschedule
trigger ofcron: $cron-weekly
(for example,codeql.yml
).Some general notes:
actions
organization, or