diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 81e0330ad..22ebdc2d2 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -464,7 +464,6 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - name: Run Trivy vulnerability scanner in repo mode - #Commit SHA for v0.0.17 uses: aquasecurity/trivy-action@296212627a1e693efa09c00adc3e03b2ba8edf18 with: scan-type: "fs" diff --git a/.github/workflows/trivy-docker.yaml b/.github/workflows/trivy-docker.yaml new file mode 100644 index 000000000..ae5c26665 --- /dev/null +++ b/.github/workflows/trivy-docker.yaml @@ -0,0 +1,65 @@ +name: Trivy Nightly Docker Scan + +on: + # Run scans if the workflow is modified, in order to test the + # workflow itself. This results in some spurious notifications, + # but seems okay for testing. + pull_request: + branches: + - main + paths: + - .github/workflows/trivy-docker.yaml + + # Run scans against master whenever changes are merged. + push: + branches: + - main + paths: + - .github/workflows/trivy-docker.yaml + + schedule: + # Run at 10:15 am UTC (3:15am PT/5:15am CT) + # Run at 0 minutes 0 hours of every day. + - cron: "15 10 * * *" + + workflow_dispatch: + +permissions: + actions: none + checks: none + contents: read + deployments: none + issues: none + packages: none + pull-requests: none + repository-projects: none + security-events: none + statuses: none + +# Cancel in-progress runs for pull requests when developers push +# additional changes, and serialize builds in branches. +# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + +jobs: + trivy-scan-image: + runs-on: ubuntu-20.04 + + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner in image mode + uses: aquasecurity/trivy-action@296212627a1e693efa09c00adc3e03b2ba8edf18 + with: + image-ref: "docker.io/codercom/code-server:latest" + ignore-unfixed: true + format: "sarif" + output: "trivy-image-results.sarif" + severity: "HIGH,CRITICAL" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: "trivy-image-results.sarif"