Don't use secret scanner for trivy - github already does it and it's hard to ignore the test key
Some checks failed
Some checks failed
This commit is contained in:
Dan Milne
4
.github/workflows/ci.yml
vendored
4
.github/workflows/ci.yml
vendored
@@ -43,6 +43,9 @@ jobs:
|
|||||||
|
|
||||||
scan_container:
|
scan_container:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
security-events: write # Required for uploading SARIF results
|
||||||
|
contents: read
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
@@ -58,6 +61,7 @@ jobs:
|
|||||||
format: 'sarif'
|
format: 'sarif'
|
||||||
output: 'trivy-results.sarif'
|
output: 'trivy-results.sarif'
|
||||||
severity: 'CRITICAL,HIGH'
|
severity: 'CRITICAL,HIGH'
|
||||||
|
scanners: 'vuln' # Only scan vulnerabilities, not secrets (avoids false positives in vendored gems)
|
||||||
|
|
||||||
- name: Upload Trivy results to GitHub Security tab
|
- name: Upload Trivy results to GitHub Security tab
|
||||||
uses: github/codeql-action/upload-sarif@v3
|
uses: github/codeql-action/upload-sarif@v3
|
||||||
|
|||||||
@@ -724,10 +724,10 @@ brew install trivy # macOS
|
|||||||
|
|
||||||
# Build and scan image (CRITICAL and HIGH severity only, like CI)
|
# Build and scan image (CRITICAL and HIGH severity only, like CI)
|
||||||
docker build -t clinch:local .
|
docker build -t clinch:local .
|
||||||
trivy image --severity CRITICAL,HIGH clinch:local
|
trivy image --severity CRITICAL,HIGH --scanners vuln clinch:local
|
||||||
|
|
||||||
# Scan only for fixable vulnerabilities
|
# Scan only for fixable vulnerabilities
|
||||||
trivy image --severity CRITICAL,HIGH --ignore-unfixed clinch:local
|
trivy image --severity CRITICAL,HIGH --scanners vuln --ignore-unfixed clinch:local
|
||||||
```
|
```
|
||||||
|
|
||||||
**CI/CD Integration:**
|
**CI/CD Integration:**
|
||||||
|
|||||||
Reference in New Issue
Block a user