Unverified Commit f9ccedde authored by Douglas Duteil's avatar Douglas Duteil Committed by GitHub
Browse files

ci(github): update trivy-action to 0.0.17 (#657)

parent 985bf95a
......@@ -2,32 +2,46 @@ let GithubActions =
https://raw.githubusercontent.com/SocialGouv/.github/master/dhall/github-actions/package.dhall sha256:327d499ebf1ec63e5c3b0b0d5285b78a07be4ad1a941556eb35f67547004545f
let trivy-action =
https://raw.githubusercontent.com/SocialGouv/.github/master/dhall/steps/aquasecurity/trivy-action/package.dhall sha256:72a518acac9663695cd99b5219b2f6d330ab32c1077c20bbd7804d8798485416
https://raw.githubusercontent.com/SocialGouv/.github/74a94f85afe089eb8e8e7c66dd19fb37f64afd38/dhall/steps/aquasecurity/trivy-action/package.dhall sha256:aeeb75c894a6a7c51d0c83574310e58db4d11698cbe9b5f443beb3043931474d
let upload-sarif =
https://raw.githubusercontent.com/SocialGouv/.github/master/dhall/steps/github/codeql-action/upload-sarif/package.dhall sha256:e96a4a49e32c41420b99afd427f0549038b2b33d399ec1a66295e19e6cd9bf1a
let Input = trivy-action.Input
https://raw.githubusercontent.com/SocialGouv/.github/74a94f85afe089eb8e8e7c66dd19fb37f64afd38/dhall/steps/github/codeql-action/upload-sarif/package.dhall sha256:e96a4a49e32c41420b99afd427f0549038b2b33d399ec1a66295e19e6cd9bf1a
let job =
λ(input : trivy-action.Input.Type) →
λ(package : Text) →
GithubActions.Job::{
, name = Some "Vulnerability Scanner"
, needs = Some [ "Build" ]
, runs-on = GithubActions.RunsOn.Type.ubuntu-latest
, steps =
[ GithubActions.steps.actions/checkout
, GithubActions.Step::{ run = Some "docker pull ${input.image-ref}" }
, trivy-action.`0.0.14`
trivy-action.Input::{ image-ref = input.image-ref }
, GithubActions.Step::{
, run = Some
"docker pull ghcr.io/socialgouv/docker/${package}:sha-\${{ github.sha }}"
}
, trivy-action.`0.0.17`
trivy-action.Input::{
, image-ref =
"ghcr.io/socialgouv/docker/${package}:sha-\${{ github.sha }}"
}
⫽ { name = Some "Run Trivy vulnerability scanner" }
, trivy-action.`0.0.14`
( input
⫽ { format = Some "template"
, template = Some "@/contrib/sarif.tpl"
, output = Some "trivy-results.sarif"
}
)
, trivy-action.`0.0.17`
trivy-action.Input::{
, format = Some "template"
, image-ref =
"ghcr.io/socialgouv/docker/${package}:sha-\${{ github.sha }}"
, template = Some "@/contrib/sarif.tpl"
, output = Some "trivy-results.sarif"
}
⫽ { name = Some "Export Trivy Results as sarif" }
, GithubActions.Step::{
, name = Some "Change hardcoded Dockerfile path"
, run = Some
( "sed -i"
++ " 's/\"uri\": \"Dockerfile\"/\"uri\": \"${package}\\/Dockerfile\"/'"
++ " trivy-results.sarif"
)
}
, upload-sarif.codeql-bundle-20210421
upload-sarif.Input::{ sarif_file = Some "trivy-results.sarif" }
]
......@@ -35,38 +49,43 @@ let job =
let __test__foo =
assert
: job
Input::{
, image-ref =
"ghcr.io/\${{ github.repository }}/foo:sha-\${{ github.sha }}"
}
: job "foo"
≡ GithubActions.Job::{
, name = Some "Vulnerability Scanner"
, needs = Some [ "Build" ]
, runs-on = GithubActions.RunsOn.Type.ubuntu-latest
, steps =
[ GithubActions.steps.actions/checkout
, GithubActions.Step::{
, run = Some
"docker pull ghcr.io/\${{ github.repository }}/foo:sha-\${{ github.sha }}"
"docker pull ghcr.io/socialgouv/docker/foo:sha-\${{ github.sha }}"
}
, trivy-action.`0.0.14`
, trivy-action.`0.0.17`
trivy-action.Input::{
, image-ref =
"ghcr.io/\${{ github.repository }}/foo:sha-\${{ github.sha }}"
"ghcr.io/socialgouv/docker/foo:sha-\${{ github.sha }}"
}
⫽ { name = Some "Run Trivy vulnerability scanner" }
, trivy-action.`0.0.14`
, trivy-action.`0.0.17`
trivy-action.Input::{
, format = Some "template"
, image-ref =
"ghcr.io/\${{ github.repository }}/foo:sha-\${{ github.sha }}"
"ghcr.io/socialgouv/docker/foo:sha-\${{ github.sha }}"
, template = Some "@/contrib/sarif.tpl"
, output = Some "trivy-results.sarif"
}
⫽ { name = Some "Export Trivy Results as sarif" }
, GithubActions.Step::{
, name = Some "Change hardcoded Dockerfile path"
, run = Some
( "sed -i"
++ " 's/\"uri\": \"Dockerfile\"/\"uri\": \"foo\\/Dockerfile\"/'"
++ " trivy-results.sarif"
)
}
, upload-sarif.codeql-bundle-20210421
upload-sarif.Input::{ sarif_file = Some "trivy-results.sarif" }
]
}
in { job, Input }
in job
let GithubActions =
https://raw.githubusercontent.com/SocialGouv/.github/master/dhall/github-actions/package.dhall sha256:327d499ebf1ec63e5c3b0b0d5285b78a07be4ad1a941556eb35f67547004545f
let trivy-action =
https://raw.githubusercontent.com/SocialGouv/.github/master/dhall/steps/aquasecurity/trivy-action/package.dhall sha256:72a518acac9663695cd99b5219b2f6d330ab32c1077c20bbd7804d8798485416
let upload-sarif =
https://raw.githubusercontent.com/SocialGouv/.github/master/dhall/steps/github/codeql-action/upload-sarif/package.dhall sha256:e96a4a49e32c41420b99afd427f0549038b2b33d399ec1a66295e19e6cd9bf1a
let ContainerTestJob =
../jobs/ContainerTest.dhall sha256:bc34ac8b31da3add3f42e2db6d33bd4155c3c9e34c0e0d8bdec9ebec2aee2d34
......@@ -16,6 +10,9 @@ let DockerBuildJob =
let HadolintJob =
../jobs/Hadolint.dhall sha256:1d4f5d3df464f83d02f4a281a10a205731b08ee2d10c5fd23888cc4f9e9fa8be
let TrivyJob =
../jobs/Trivy.dhall sha256:b3cd9619858c6342ad323abb905d84001c356a754dfbd0053927d711137c0958
let Worklflow =
λ ( args
: { name : Text
......@@ -30,40 +27,7 @@ let Worklflow =
{ lint = HadolintJob args.name
, build = DockerBuildJob args.name
, container_test = ContainerTestJob { package = args.name }
, security_scan = GithubActions.Job::{
, name = Some "Vulnerability Scanner"
, needs = Some [ "Build" ]
, runs-on = GithubActions.RunsOn.Type.ubuntu-latest
, steps =
[ GithubActions.steps.actions/checkout
, GithubActions.Step::{
, run = Some
"docker pull ghcr.io/socialgouv/docker/${args.name}:sha-\${{ github.sha }}"
}
, trivy-action.`0.0.14`
trivy-action.Input::{
, format = Some "template"
, image-ref =
"ghcr.io/socialgouv/docker/${args.name}:sha-\${{ github.sha }}"
, output = Some "trivy-results.sarif"
, template = Some "@/contrib/sarif.tpl"
}
⫽ { name = Some "Run Trivy vulnerability scanner" }
, GithubActions.Step::{
, name = Some "Change hardcoded Dockerfile path"
, run = Some
( "sed -i"
++ " 's/\"uri\": \"Dockerfile\"/\"uri\": \"${args.name}\\/Dockerfile\"/'"
++ " trivy-results.sarif"
)
}
, upload-sarif.codeql-bundle-20210421
upload-sarif.Input::{
, sarif_file = Some "trivy-results.sarif"
}
⫽ { continue-on-error = Some True }
]
}
, security_scan = TrivyJob args.name
}
# args.jobs
}
......
......@@ -82,7 +82,11 @@ jobs:
- uses: "actions/checkout@v2"
- run: "docker pull ghcr.io/socialgouv/docker/azure-cli:sha-${{ github.sha }}"
- name: Run Trivy vulnerability scanner
uses: "aquasecurity/trivy-action@b38389f8efef9798810fe0c5b5096ac198cffd54"
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
image-ref: "ghcr.io/socialgouv/docker/azure-cli:sha-${{ github.sha }}"
- name: Export Trivy Results as sarif
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
format: template
image-ref: "ghcr.io/socialgouv/docker/azure-cli:sha-${{ github.sha }}"
......@@ -90,8 +94,7 @@ jobs:
template: "@/contrib/sarif.tpl"
- name: Change hardcoded Dockerfile path
run: "sed -i 's/\"uri\": \"Dockerfile\"/\"uri\": \"azure-cli\\/Dockerfile\"/' trivy-results.sarif"
- continue-on-error: true
uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
- uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
with:
sarif_file: trivy-results.sarif
version_test:
......
......@@ -82,7 +82,11 @@ jobs:
- uses: "actions/checkout@v2"
- run: "docker pull ghcr.io/socialgouv/docker/azure-cli:sha-${{ github.sha }}"
- name: Run Trivy vulnerability scanner
uses: "aquasecurity/trivy-action@b38389f8efef9798810fe0c5b5096ac198cffd54"
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
image-ref: "ghcr.io/socialgouv/docker/azure-cli:sha-${{ github.sha }}"
- name: Export Trivy Results as sarif
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
format: template
image-ref: "ghcr.io/socialgouv/docker/azure-cli:sha-${{ github.sha }}"
......@@ -90,8 +94,7 @@ jobs:
template: "@/contrib/sarif.tpl"
- name: Change hardcoded Dockerfile path
run: "sed -i 's/\"uri\": \"Dockerfile\"/\"uri\": \"azure-cli\\/Dockerfile\"/' trivy-results.sarif"
- continue-on-error: true
uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
- uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
with:
sarif_file: trivy-results.sarif
version_test:
......
......@@ -92,7 +92,11 @@ jobs:
- uses: "actions/checkout@v2"
- run: "docker pull ghcr.io/socialgouv/docker/azure-db:sha-${{ github.sha }}"
- name: Run Trivy vulnerability scanner
uses: "aquasecurity/trivy-action@b38389f8efef9798810fe0c5b5096ac198cffd54"
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
image-ref: "ghcr.io/socialgouv/docker/azure-db:sha-${{ github.sha }}"
- name: Export Trivy Results as sarif
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
format: template
image-ref: "ghcr.io/socialgouv/docker/azure-db:sha-${{ github.sha }}"
......@@ -100,8 +104,7 @@ jobs:
template: "@/contrib/sarif.tpl"
- name: Change hardcoded Dockerfile path
run: "sed -i 's/\"uri\": \"Dockerfile\"/\"uri\": \"azure-db\\/Dockerfile\"/' trivy-results.sarif"
- continue-on-error: true
uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
- uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
with:
sarif_file: trivy-results.sarif
version_test:
......
......@@ -92,7 +92,11 @@ jobs:
- uses: "actions/checkout@v2"
- run: "docker pull ghcr.io/socialgouv/docker/azure-db:sha-${{ github.sha }}"
- name: Run Trivy vulnerability scanner
uses: "aquasecurity/trivy-action@b38389f8efef9798810fe0c5b5096ac198cffd54"
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
image-ref: "ghcr.io/socialgouv/docker/azure-db:sha-${{ github.sha }}"
- name: Export Trivy Results as sarif
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
format: template
image-ref: "ghcr.io/socialgouv/docker/azure-db:sha-${{ github.sha }}"
......@@ -100,8 +104,7 @@ jobs:
template: "@/contrib/sarif.tpl"
- name: Change hardcoded Dockerfile path
run: "sed -i 's/\"uri\": \"Dockerfile\"/\"uri\": \"azure-db\\/Dockerfile\"/' trivy-results.sarif"
- continue-on-error: true
uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
- uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
with:
sarif_file: trivy-results.sarif
version_test:
......
......@@ -92,7 +92,11 @@ jobs:
- uses: "actions/checkout@v2"
- run: "docker pull ghcr.io/socialgouv/docker/bats:sha-${{ github.sha }}"
- name: Run Trivy vulnerability scanner
uses: "aquasecurity/trivy-action@b38389f8efef9798810fe0c5b5096ac198cffd54"
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
image-ref: "ghcr.io/socialgouv/docker/bats:sha-${{ github.sha }}"
- name: Export Trivy Results as sarif
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
format: template
image-ref: "ghcr.io/socialgouv/docker/bats:sha-${{ github.sha }}"
......@@ -100,8 +104,7 @@ jobs:
template: "@/contrib/sarif.tpl"
- name: Change hardcoded Dockerfile path
run: "sed -i 's/\"uri\": \"Dockerfile\"/\"uri\": \"bats\\/Dockerfile\"/' trivy-results.sarif"
- continue-on-error: true
uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
- uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
with:
sarif_file: trivy-results.sarif
version_test:
......
......@@ -92,7 +92,11 @@ jobs:
- uses: "actions/checkout@v2"
- run: "docker pull ghcr.io/socialgouv/docker/bats:sha-${{ github.sha }}"
- name: Run Trivy vulnerability scanner
uses: "aquasecurity/trivy-action@b38389f8efef9798810fe0c5b5096ac198cffd54"
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
image-ref: "ghcr.io/socialgouv/docker/bats:sha-${{ github.sha }}"
- name: Export Trivy Results as sarif
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
format: template
image-ref: "ghcr.io/socialgouv/docker/bats:sha-${{ github.sha }}"
......@@ -100,8 +104,7 @@ jobs:
template: "@/contrib/sarif.tpl"
- name: Change hardcoded Dockerfile path
run: "sed -i 's/\"uri\": \"Dockerfile\"/\"uri\": \"bats\\/Dockerfile\"/' trivy-results.sarif"
- continue-on-error: true
uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
- uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
with:
sarif_file: trivy-results.sarif
version_test:
......
......@@ -82,7 +82,11 @@ jobs:
- uses: "actions/checkout@v2"
- run: "docker pull ghcr.io/socialgouv/docker/curl:sha-${{ github.sha }}"
- name: Run Trivy vulnerability scanner
uses: "aquasecurity/trivy-action@b38389f8efef9798810fe0c5b5096ac198cffd54"
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
image-ref: "ghcr.io/socialgouv/docker/curl:sha-${{ github.sha }}"
- name: Export Trivy Results as sarif
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
format: template
image-ref: "ghcr.io/socialgouv/docker/curl:sha-${{ github.sha }}"
......@@ -90,8 +94,7 @@ jobs:
template: "@/contrib/sarif.tpl"
- name: Change hardcoded Dockerfile path
run: "sed -i 's/\"uri\": \"Dockerfile\"/\"uri\": \"curl\\/Dockerfile\"/' trivy-results.sarif"
- continue-on-error: true
uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
- uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
with:
sarif_file: trivy-results.sarif
version_test:
......
......@@ -82,7 +82,11 @@ jobs:
- uses: "actions/checkout@v2"
- run: "docker pull ghcr.io/socialgouv/docker/curl:sha-${{ github.sha }}"
- name: Run Trivy vulnerability scanner
uses: "aquasecurity/trivy-action@b38389f8efef9798810fe0c5b5096ac198cffd54"
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
image-ref: "ghcr.io/socialgouv/docker/curl:sha-${{ github.sha }}"
- name: Export Trivy Results as sarif
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
format: template
image-ref: "ghcr.io/socialgouv/docker/curl:sha-${{ github.sha }}"
......@@ -90,8 +94,7 @@ jobs:
template: "@/contrib/sarif.tpl"
- name: Change hardcoded Dockerfile path
run: "sed -i 's/\"uri\": \"Dockerfile\"/\"uri\": \"curl\\/Dockerfile\"/' trivy-results.sarif"
- continue-on-error: true
uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
- uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
with:
sarif_file: trivy-results.sarif
version_test:
......
......@@ -82,7 +82,11 @@ jobs:
- uses: "actions/checkout@v2"
- run: "docker pull ghcr.io/socialgouv/docker/dhall:sha-${{ github.sha }}"
- name: Run Trivy vulnerability scanner
uses: "aquasecurity/trivy-action@b38389f8efef9798810fe0c5b5096ac198cffd54"
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
image-ref: "ghcr.io/socialgouv/docker/dhall:sha-${{ github.sha }}"
- name: Export Trivy Results as sarif
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
format: template
image-ref: "ghcr.io/socialgouv/docker/dhall:sha-${{ github.sha }}"
......@@ -90,8 +94,7 @@ jobs:
template: "@/contrib/sarif.tpl"
- name: Change hardcoded Dockerfile path
run: "sed -i 's/\"uri\": \"Dockerfile\"/\"uri\": \"dhall\\/Dockerfile\"/' trivy-results.sarif"
- continue-on-error: true
uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
- uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
with:
sarif_file: trivy-results.sarif
version_test:
......
......@@ -82,7 +82,11 @@ jobs:
- uses: "actions/checkout@v2"
- run: "docker pull ghcr.io/socialgouv/docker/dhall:sha-${{ github.sha }}"
- name: Run Trivy vulnerability scanner
uses: "aquasecurity/trivy-action@b38389f8efef9798810fe0c5b5096ac198cffd54"
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
image-ref: "ghcr.io/socialgouv/docker/dhall:sha-${{ github.sha }}"
- name: Export Trivy Results as sarif
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
format: template
image-ref: "ghcr.io/socialgouv/docker/dhall:sha-${{ github.sha }}"
......@@ -90,8 +94,7 @@ jobs:
template: "@/contrib/sarif.tpl"
- name: Change hardcoded Dockerfile path
run: "sed -i 's/\"uri\": \"Dockerfile\"/\"uri\": \"dhall\\/Dockerfile\"/' trivy-results.sarif"
- continue-on-error: true
uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
- uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
with:
sarif_file: trivy-results.sarif
version_test:
......
......@@ -92,7 +92,11 @@ jobs:
- uses: "actions/checkout@v2"
- run: "docker pull ghcr.io/socialgouv/docker/git-deploy:sha-${{ github.sha }}"
- name: Run Trivy vulnerability scanner
uses: "aquasecurity/trivy-action@b38389f8efef9798810fe0c5b5096ac198cffd54"
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
image-ref: "ghcr.io/socialgouv/docker/git-deploy:sha-${{ github.sha }}"
- name: Export Trivy Results as sarif
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
format: template
image-ref: "ghcr.io/socialgouv/docker/git-deploy:sha-${{ github.sha }}"
......@@ -100,8 +104,7 @@ jobs:
template: "@/contrib/sarif.tpl"
- name: Change hardcoded Dockerfile path
run: "sed -i 's/\"uri\": \"Dockerfile\"/\"uri\": \"git-deploy\\/Dockerfile\"/' trivy-results.sarif"
- continue-on-error: true
uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
- uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
with:
sarif_file: trivy-results.sarif
version_test:
......
......@@ -92,7 +92,11 @@ jobs:
- uses: "actions/checkout@v2"
- run: "docker pull ghcr.io/socialgouv/docker/git-deploy:sha-${{ github.sha }}"
- name: Run Trivy vulnerability scanner
uses: "aquasecurity/trivy-action@b38389f8efef9798810fe0c5b5096ac198cffd54"
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
image-ref: "ghcr.io/socialgouv/docker/git-deploy:sha-${{ github.sha }}"
- name: Export Trivy Results as sarif
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
format: template
image-ref: "ghcr.io/socialgouv/docker/git-deploy:sha-${{ github.sha }}"
......@@ -100,8 +104,7 @@ jobs:
template: "@/contrib/sarif.tpl"
- name: Change hardcoded Dockerfile path
run: "sed -i 's/\"uri\": \"Dockerfile\"/\"uri\": \"git-deploy\\/Dockerfile\"/' trivy-results.sarif"
- continue-on-error: true
uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
- uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
with:
sarif_file: trivy-results.sarif
version_test:
......
......@@ -82,7 +82,11 @@ jobs:
- uses: "actions/checkout@v2"
- run: "docker pull ghcr.io/socialgouv/docker/kosko:sha-${{ github.sha }}"
- name: Run Trivy vulnerability scanner
uses: "aquasecurity/trivy-action@b38389f8efef9798810fe0c5b5096ac198cffd54"
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
image-ref: "ghcr.io/socialgouv/docker/kosko:sha-${{ github.sha }}"
- name: Export Trivy Results as sarif
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
format: template
image-ref: "ghcr.io/socialgouv/docker/kosko:sha-${{ github.sha }}"
......@@ -90,8 +94,7 @@ jobs:
template: "@/contrib/sarif.tpl"
- name: Change hardcoded Dockerfile path
run: "sed -i 's/\"uri\": \"Dockerfile\"/\"uri\": \"kosko\\/Dockerfile\"/' trivy-results.sarif"
- continue-on-error: true
uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
- uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
with:
sarif_file: trivy-results.sarif
version_test:
......
......@@ -82,7 +82,11 @@ jobs:
- uses: "actions/checkout@v2"
- run: "docker pull ghcr.io/socialgouv/docker/kosko:sha-${{ github.sha }}"
- name: Run Trivy vulnerability scanner
uses: "aquasecurity/trivy-action@b38389f8efef9798810fe0c5b5096ac198cffd54"
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
image-ref: "ghcr.io/socialgouv/docker/kosko:sha-${{ github.sha }}"
- name: Export Trivy Results as sarif
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
format: template
image-ref: "ghcr.io/socialgouv/docker/kosko:sha-${{ github.sha }}"
......@@ -90,8 +94,7 @@ jobs:
template: "@/contrib/sarif.tpl"
- name: Change hardcoded Dockerfile path
run: "sed -i 's/\"uri\": \"Dockerfile\"/\"uri\": \"kosko\\/Dockerfile\"/' trivy-results.sarif"
- continue-on-error: true
uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
- uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
with:
sarif_file: trivy-results.sarif
version_test:
......
......@@ -82,7 +82,11 @@ jobs:
- uses: "actions/checkout@v2"
- run: "docker pull ghcr.io/socialgouv/docker/kubectl:sha-${{ github.sha }}"
- name: Run Trivy vulnerability scanner
uses: "aquasecurity/trivy-action@b38389f8efef9798810fe0c5b5096ac198cffd54"
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
image-ref: "ghcr.io/socialgouv/docker/kubectl:sha-${{ github.sha }}"
- name: Export Trivy Results as sarif
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
format: template
image-ref: "ghcr.io/socialgouv/docker/kubectl:sha-${{ github.sha }}"
......@@ -90,8 +94,7 @@ jobs:
template: "@/contrib/sarif.tpl"
- name: Change hardcoded Dockerfile path
run: "sed -i 's/\"uri\": \"Dockerfile\"/\"uri\": \"kubectl\\/Dockerfile\"/' trivy-results.sarif"
- continue-on-error: true
uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
- uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
with:
sarif_file: trivy-results.sarif
version_test:
......
......@@ -82,7 +82,11 @@ jobs:
- uses: "actions/checkout@v2"
- run: "docker pull ghcr.io/socialgouv/docker/kubectl:sha-${{ github.sha }}"
- name: Run Trivy vulnerability scanner
uses: "aquasecurity/trivy-action@b38389f8efef9798810fe0c5b5096ac198cffd54"
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
image-ref: "ghcr.io/socialgouv/docker/kubectl:sha-${{ github.sha }}"
- name: Export Trivy Results as sarif
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
format: template
image-ref: "ghcr.io/socialgouv/docker/kubectl:sha-${{ github.sha }}"
......@@ -90,8 +94,7 @@ jobs:
template: "@/contrib/sarif.tpl"
- name: Change hardcoded Dockerfile path
run: "sed -i 's/\"uri\": \"Dockerfile\"/\"uri\": \"kubectl\\/Dockerfile\"/' trivy-results.sarif"
- continue-on-error: true
uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
- uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
with:
sarif_file: trivy-results.sarif
version_test:
......
......@@ -92,7 +92,11 @@ jobs:
- uses: "actions/checkout@v2"
- run: "docker pull ghcr.io/socialgouv/docker/nginx4spa:sha-${{ github.sha }}"
- name: Run Trivy vulnerability scanner
uses: "aquasecurity/trivy-action@b38389f8efef9798810fe0c5b5096ac198cffd54"
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
image-ref: "ghcr.io/socialgouv/docker/nginx4spa:sha-${{ github.sha }}"
- name: Export Trivy Results as sarif
uses: "aquasecurity/trivy-action@dba83feec810c70bacbc4bead308ae1e466c572b"
with:
format: template
image-ref: "ghcr.io/socialgouv/docker/nginx4spa:sha-${{ github.sha }}"
......@@ -100,8 +104,7 @@ jobs:
template: "@/contrib/sarif.tpl"
- name: Change hardcoded Dockerfile path
run: "sed -i 's/\"uri\": \"Dockerfile\"/\"uri\": \"nginx4spa\\/Dockerfile\"/' trivy-results.sarif"
- continue-on-error: true
uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
- uses: "github/codeql-action/upload-sarif@a3a8231e64d3db0e7da0f3b56b9521dcccdfe412"
with:
sarif_file: trivy-results.sarif
version_test:
......
......@@ -92,7 +92,11 @@ jobs:
- uses: "actions/checkout@v2"
- run: "docker pull ghcr.io/socialgouv/docker/nginx4spa:sha-${{ github.sha }}"
- name: Run Trivy vulnerability scanner