Skip to content

Commit

Permalink
add trivy.yml (#31)
Browse files Browse the repository at this point in the history
* add trivy.yml

* remove pinned versions

* ignore=DL3008

* fix superlinter CHECKOV and GITHUB_ACTIONS
  • Loading branch information
maaikelimper authored Nov 5, 2024
1 parent d7028a1 commit 3db05fc
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 1 deletion.
32 changes: 32 additions & 0 deletions .github/workflows/trivy.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
name: Run Trivy vulnerability scanner

on: [ push ]

permissions:
contents: read
packages: write
issues: write
pull-requests: write

jobs:
main:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Build wis2downloader
run: |
docker build -t wis2downloader:test -f ./docker/Dockerfile .
- name: Run Trivy vulnerability scanner on wis2downloader
uses: aquasecurity/trivy-action@0.20.0
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
with:
image-ref: 'wis2downloader:test'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
ignorefile: '.trivyignore'
3 changes: 2 additions & 1 deletion docker/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,10 @@ ENV WIS2DOWNLOADER_CONFIG "/home/wis2downloader/app/config/config.json"


# Update, upgrade packages and install / clean up
# hadolint ignore=DL3008
RUN apt-get update && \
apt-get upgrade && \
apt-get install -y gettext-base=0.21-12 curl=7.88.1-10+deb12u6 cron=3.0pl1-162 git=1:2.39.2-1.1 && \
apt-get install -y gettext-base curl cron git && \
rm -rf /var/lib/apt/lists/*

# Now setup python env and default user
Expand Down

0 comments on commit 3db05fc

Please # to comment.