chore(deps): update trufflesecurity/trufflehog docker tag to v3.83.5 #8818
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| ######################### | |
| ######################### | |
| ## Deploy Docker Image Linters ## | |
| ######################### | |
| ######################### | |
| # Documentation: | |
| # https://help.github.com/en/articles/workflow-syntax-for-github-actions | |
| # | |
| ####################################### | |
| # Start the job on all push to main # | |
| ####################################### | |
| name: "Build & Deploy - DEV linters" | |
| on: | |
| pull_request: | |
| ############### | |
| # Set the Job # | |
| ############### | |
| concurrency: | |
| group: ${{ github.ref_name }}-${{ github.workflow }} | |
| cancel-in-progress: true | |
| jobs: | |
| build: | |
| # Name the Job | |
| name: DEV/Linters | |
| # Set the agent to run on | |
| runs-on: ubuntu-latest | |
| permissions: read-all | |
| strategy: | |
| fail-fast: false | |
| max-parallel: 14 | |
| matrix: | |
| # linters-start | |
| linter: | |
| [ | |
| "action_actionlint", | |
| "ansible_ansible_lint", | |
| "api_spectral", | |
| "arm_arm_ttk", | |
| "bash_exec", | |
| "bash_shellcheck", | |
| "bash_shfmt", | |
| "bicep_bicep_linter", | |
| "c_cpplint", | |
| "c_clang_format", | |
| "clojure_clj_kondo", | |
| "cloudformation_cfn_lint", | |
| "coffee_coffeelint", | |
| "copypaste_jscpd", | |
| "cpp_cpplint", | |
| "cpp_clang_format", | |
| "csharp_dotnet_format", | |
| "csharp_csharpier", | |
| "csharp_roslynator", | |
| "css_stylelint", | |
| "dart_dartanalyzer", | |
| "dockerfile_hadolint", | |
| "editorconfig_editorconfig_checker", | |
| "env_dotenv_linter", | |
| "gherkin_gherkin_lint", | |
| "go_golangci_lint", | |
| "go_revive", | |
| "graphql_graphql_schema_linter", | |
| "groovy_npm_groovy_lint", | |
| "html_djlint", | |
| "html_htmlhint", | |
| "java_checkstyle", | |
| "java_pmd", | |
| "javascript_es", | |
| "javascript_standard", | |
| "javascript_prettier", | |
| "json_jsonlint", | |
| "json_v8r", | |
| "json_prettier", | |
| "json_npm_package_json_lint", | |
| "jsx_eslint", | |
| "kotlin_ktlint", | |
| "kotlin_detekt", | |
| "kubernetes_kubeconform", | |
| "kubernetes_helm", | |
| "kubernetes_kubescape", | |
| "latex_chktex", | |
| "lua_luacheck", | |
| "lua_selene", | |
| "lua_stylua", | |
| "markdown_markdownlint", | |
| "markdown_markdown_link_check", | |
| "markdown_markdown_table_formatter", | |
| "perl_perlcritic", | |
| "php_phpcs", | |
| "php_phpstan", | |
| "php_psalm", | |
| "php_phplint", | |
| "php_phpcsfixer", | |
| "powershell_powershell", | |
| "powershell_powershell_formatter", | |
| "protobuf_protolint", | |
| "puppet_puppet_lint", | |
| "python_pylint", | |
| "python_black", | |
| "python_flake8", | |
| "python_isort", | |
| "python_bandit", | |
| "python_mypy", | |
| "python_pyright", | |
| "python_ruff", | |
| "r_lintr", | |
| "raku_raku", | |
| "repository_checkov", | |
| "repository_devskim", | |
| "repository_dustilock", | |
| "repository_git_diff", | |
| "repository_gitleaks", | |
| "repository_grype", | |
| "repository_kics", | |
| "repository_ls_lint", | |
| "repository_secretlint", | |
| "repository_semgrep", | |
| "repository_syft", | |
| "repository_trivy", | |
| "repository_trivy_sbom", | |
| "repository_trufflehog", | |
| "rst_rst_lint", | |
| "rst_rstcheck", | |
| "rst_rstfmt", | |
| "ruby_rubocop", | |
| "rust_clippy", | |
| "salesforce_sfdx_scanner_apex", | |
| "salesforce_sfdx_scanner_aura", | |
| "salesforce_sfdx_scanner_lwc", | |
| "salesforce_lightning_flow_scanner", | |
| "scala_scalafix", | |
| "snakemake_lint", | |
| "snakemake_snakefmt", | |
| "spell_cspell", | |
| "spell_proselint", | |
| "spell_vale", | |
| "spell_lychee", | |
| "sql_sqlfluff", | |
| "sql_tsqllint", | |
| "swift_swiftlint", | |
| "tekton_tekton_lint", | |
| "terraform_tflint", | |
| "terraform_terrascan", | |
| "terraform_terragrunt", | |
| "terraform_terraform_fmt", | |
| "tsx_eslint", | |
| "typescript_es", | |
| "typescript_standard", | |
| "typescript_prettier", | |
| "vbdotnet_dotnet_format", | |
| "xml_xmllint", | |
| "yaml_prettier", | |
| "yaml_yamllint", | |
| "yaml_v8r", | |
| ] | |
| # linters-end | |
| platform: ["linux/amd64"] | |
| # Only run this on the main repo | |
| if: | | |
| ( | |
| (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) || | |
| (github.event_name == 'push' && github.repository == 'oxsecurity/megalinter') | |
| ) | |
| && !contains(github.event.head_commit.message, 'skip deploy') | |
| ################## | |
| # Load all steps # | |
| ################## | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| - name: Docker Metadata action | |
| uses: docker/[email protected] | |
| id: meta | |
| with: | |
| images: | | |
| ${{ github.repository }}-only-${{ matrix.linter }} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| if: ${{ ( ( runner.arch != 'X64' || runner.os != 'Linux' ) && matrix.platform == 'linux/amd64' ) || matrix.platform != 'linux/amd64' }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build Image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| file: linters/${{ matrix.linter }}/Dockerfile | |
| platforms: ${{ matrix.platform }} | |
| build-args: | | |
| BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} | |
| BUILD_VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }} | |
| BUILD_REVISION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} | |
| --squash # Enable image squashing to produce a single-layer image | |
| load: true | |
| push: false | |
| secrets: | | |
| GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| ##################################### | |
| # Run Linter test cases # | |
| ##################################### | |
| - name: Run Test Cases | |
| shell: bash | |
| run: | | |
| GITHUB_REPOSITORY=$([ "${{ github.event_name }}" == "pull_request" ] && echo "${{ github.event.pull_request.head.repo.full_name }}" || echo "${{ github.repository }}") | |
| GITHUB_BRANCH=$([ "${{ github.event_name }}" == "pull_request" ] && echo "${{ github.head_ref }}" || echo "${{ github.ref_name }}") | |
| TEST_KEYWORDS_TO_USE_UPPER="${{ matrix.linter }}" | |
| TEST_KEYWORDS_TO_USE="${TEST_KEYWORDS_TO_USE_UPPER,,}" | |
| docker image ls | |
| docker run -e TEST_CASE_RUN=true -e OUTPUT_FORMAT=text -e OUTPUT_FOLDER=${{ github.sha }} -e OUTPUT_DETAIL=detailed -e GITHUB_SHA=${{ github.sha }} -e GITHUB_REPOSITORY=${GITHUB_REPOSITORY} -e GITHUB_BRANCH=${GITHUB_BRANCH} -e GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}" -e TEST_KEYWORDS="${TEST_KEYWORDS_TO_USE}" -e MEGALINTER_VOLUME_ROOT="${GITHUB_WORKSPACE}" -v "/var/run/docker.sock:/var/run/docker.sock:rw" -v ${GITHUB_WORKSPACE}:/tmp/lint ${{ fromJson(steps.meta.outputs.json).tags[0]}} | |
| timeout-minutes: 30 | |
| ############################################## | |
| # Check Docker image security with Trivy # | |
| ############################################## | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: "${{ fromJson(steps.meta.outputs.json).tags[0] }}" | |
| format: "table" | |
| exit-code: "1" | |
| ignore-unfixed: true | |
| scanners: vuln | |
| vuln-type: "os,library" | |
| severity: "CRITICAL,HIGH" | |
| timeout: 10m0s | |
| env: | |
| ACTIONS_RUNTIME_TOKEN: ${{ secrets.GITHUB_TOKEN }} |