diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 3bc1bf0..95df260 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -159,7 +159,7 @@ jobs: with: sarif_file: 'snyk.sarif' scan: - name: "Trivy (sarif)" + name: "Trivy" runs-on: ubuntu-latest needs: build permissions: @@ -178,40 +178,24 @@ jobs: docker load --input /tmp/${{ env.ARTIFACT_NAME }}_prod.tar docker image ls -a - - name: Run Trivy vulnerability scanner + - name: Run Trivy vulnerability scanner (cli report) + uses: aquasecurity/trivy-action@0.24.0 + with: + image-ref: ${{ env.IMAGE_NAME }}:${{ github.sha }} + format: 'table' + env: + TRIVY_DB_REPOSITORY: ${{ vars.TRIVY_DB_REPOSITORY }} + + - name: Run Trivy vulnerability scanner (sarif report) uses: aquasecurity/trivy-action@0.24.0 with: image-ref: ${{ env.IMAGE_NAME }}:${{ github.sha }} format: 'sarif' output: 'trivy-results.sarif' + env: + TRIVY_DB_REPOSITORY: ${{ vars.TRIVY_DB_REPOSITORY }} - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' - env: - ACTIONS_RUNTIME_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - report: - name: "Trivy (report)" - runs-on: ubuntu-latest - needs: build - steps: - - name: Download artifact - uses: actions/download-artifact@v4 - with: - name: ${{ env.ARTIFACT_NAME }}_prod - path: /tmp/ - - - name: Load image - run: | - docker load --input /tmp/${{ env.ARTIFACT_NAME }}_prod.tar - docker image ls -a - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.24.0 - with: - image-ref: ${{ env.IMAGE_NAME }}:${{ github.sha }} - format: 'table' - env: - ACTIONS_RUNTIME_TOKEN: ${{ secrets.GITHUB_TOKEN }}