From b94b457ab22a557106062079e645c9acef881c35 Mon Sep 17 00:00:00 2001 From: Honest Bot Date: Wed, 6 Nov 2024 03:50:09 +0000 Subject: [PATCH] feat: add trivy workflows to public repos | DEVOP-4003 (#403) --- .github/workflows/trivy.yaml | 30 ++++++++++++++++++++++++++++++ trivy.yaml | 19 +++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 .github/workflows/trivy.yaml create mode 100644 trivy.yaml diff --git a/.github/workflows/trivy.yaml b/.github/workflows/trivy.yaml new file mode 100644 index 0000000..65b1627 --- /dev/null +++ b/.github/workflows/trivy.yaml @@ -0,0 +1,30 @@ +--- +name: Trivy Security Scan + +# permissions required for the action, restricting to read-only for repository contents. +permissions: + contents: read + +on: + pull_request: + branches: + - main + +jobs: + trivy-security-scan: + name: Run Trivy Security Scan + runs-on: ubuntu-latest + + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + with: + submodules: "recursive" # Ensure any submodules are included in the scan. + token: ${{ secrets.ENGINEERING_GITHUB_PERSONAL_ACCESS_TOKEN }} + + # Run Trivy Configuration Scan with specified options. + - name: Run Trivy Security Scan + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'config' + trivy-config: 'trivy.yaml' diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 0000000..a93de9f --- /dev/null +++ b/trivy.yaml @@ -0,0 +1,19 @@ +scan: + skip-dirs: + - test + - .terraform + + misconfiguration: + exclude-downloaded-modules: true # Exclude third-party downloaded modules from scanning + +# Specify the ignore file for ignored checks or vulnerabilities +ignoreFile: .trivyignore + +# Define the severities to focus on (UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL) +severity: + - HIGH + - CRITICAL + - MEDIUM + +# Exit with code 1 if vulnerabilities or misconfigurations are found default to 0 +exit-code: 1