From a73bfd0d64c239603e536e398ac243a6f91532f2 Mon Sep 17 00:00:00 2001 From: Alex Steel <130377221+asteel-gsa@users.noreply.github.com> Date: Fri, 15 Nov 2024 11:49:37 -0500 Subject: [PATCH] Patch scanner on publish container workflow (#4460) * Modify scanner in weekly publish workflow * Modify workflow params * Disable VEX Notice * Add backwards compatability --- .../pull-containers-and-push-to-ghcr.yml | 22 +++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/.github/workflows/pull-containers-and-push-to-ghcr.yml b/.github/workflows/pull-containers-and-push-to-ghcr.yml index 45f85e4d15..f90cfa63ca 100644 --- a/.github/workflows/pull-containers-and-push-to-ghcr.yml +++ b/.github/workflows/pull-containers-and-push-to-ghcr.yml @@ -33,8 +33,26 @@ jobs: - name: Pull Docker Image run: docker pull ${{ matrix.image.name }} - - name: Scan Image - run: docker run aquasec/trivy:latest image --timeout 5m --scanners vuln --exit-code 1 --severity CRITICAL,HIGH ${{ matrix.image.name }} + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.28.0 + env: + TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db,ghcr.io/aquasecurity/trivy-db + TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true + TRIVY_DISABLE_VEX_NOTICE: true + with: + image-ref: '${{ matrix.image.name }}' + scan-type: 'image' + hide-progress: false + exit-code: 1 + severity: 'CRITICAL,HIGH' + scanners: 'vuln' + timeout: 15m0s + ignore-unfixed: true + + # - name: Scan Image + # run: docker run aquasec/trivy:latest image --db-repository public.ecr.aws/aquasecurity/trivy-db,ghcr.io/aquasecurity/trivy-db --java-db-repository public.ecr.aws/aquasecurity/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db --timeout 5m --scanners vuln --exit-code 1 --severity CRITICAL,HIGH ${{ matrix.image.name }} - name: Tag Image run: |