mirror of
https://github.com/vacp2p/status-linea-besu.git
synced 2026-01-09 13:58:02 -05:00
aef938964d
Trivy scan result upload to GitHub fails due to permission issue. Added permission security-events=write to the workflow file as a fix. Since workflow permission explicitly defined, it requires contents=read explicity set as well Signed-off-by: Chaminda Divitotawela <cdivitotawela@gmail.com>
48 lines
1.4 KiB
YAML
48 lines
1.4 KiB
YAML
name: container security scan
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
tag:
|
|
description: 'Container image tag'
|
|
required: false
|
|
default: 'develop'
|
|
schedule:
|
|
# Start of the hour is the busy time. Scheule it to run 8:17am UTC
|
|
- cron: '17 8 * * *'
|
|
|
|
jobs:
|
|
scan-sarif:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
security-events: write
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
|
|
|
|
# Shell parameter expansion does not support directly on a step
|
|
# Adding a separate step to set the image tag. This allows running
|
|
# this workflow with a schedule as well as manual
|
|
- name: Set image tag
|
|
id: tag
|
|
run: |
|
|
echo "TAG=${INPUT_TAG:-develop}" >> "$GITHUB_OUTPUT"
|
|
env:
|
|
INPUT_TAG: ${{ inputs.tag }}
|
|
|
|
- name: Vulnerability scanner
|
|
id: trivy
|
|
uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d
|
|
with:
|
|
image-ref: hyperledger/besu:${{ steps.tag.outputs.TAG }}
|
|
format: sarif
|
|
output: 'trivy-results.sarif'
|
|
|
|
# Check the vulnerabilities via GitHub security tab
|
|
- name: Upload results
|
|
uses: github/codeql-action/upload-sarif@23acc5c183826b7a8a97bce3cecc52db901f8251
|
|
with:
|
|
sarif_file: 'trivy-results.sarif'
|