actions/drone-ssh
1
0
Fork 0
mirror of https://github.com/appleboy/drone-ssh.git synced 2026-03-05 22:57:00 -05:00
Code Issues Packages Projects Releases 1 Wiki Activity

ci: integrate automated Trivy security scanning in CI workflows

Browse Source 
- Add explicit permissions for contents, packages, and security-events to the Docker GitHub Actions workflow
- Integrate Trivy vulnerability scanning and results upload into the Docker workflow
- Add a dedicated GitHub Actions workflow for Trivy security scanning of both repository files and Docker images, with scheduled, push, and pull request triggers
- Ensure Trivy SARIF results are uploaded to the GitHub Security tab after scans

Signed-off-by: appleboy <appleboy.tw@gmail.com>
This commit is contained in:
appleboy 2025-11-28 21:43:07 +08:00
parent 1cc99b6113
commit 7a94dda076
No known key found for this signature in database
2 changed files with 116 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
.github/workflows/docker.yml vendored
View File

@ -10,6 +10,11 @@ on:
branches: branches:
- "master" - "master"
permissions:
contents: read
packages: write
security-events: write
jobs: jobs:
build-docker: build-docker:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -60,7 +65,33 @@ jobs:
type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}} type=semver,pattern={{major}}
- name: Build image for scanning
uses: docker/build-push-action@v6
with:
context: .
platforms: linux/amd64
file: docker/Dockerfile
push: false
load: true
tags: ${{ github.repository }}:scan
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: "${{ github.repository }}:scan"
format: "sarif"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"
exit-code: "1"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: "trivy-results.sarif"
- name: Build and push - name: Build and push
if: success()
uses: docker/build-push-action@v6 uses: docker/build-push-action@v6
with: with:
context: . context: .

85
.github/workflows/trivy.yml vendored Normal file
View File

@ -0,0 +1,85 @@
name: Trivy Security Scan
on:
push:
branches:
- master
pull_request:
branches:
- master
schedule:
# Run daily at 00:00 UTC
- cron: "0 0 * * *"
workflow_dispatch:
permissions:
contents: read
security-events: write
jobs:
trivy-repo-scan:
name: Trivy Repository Scan
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner (repo)
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
scan-ref: "."
format: "sarif"
output: "trivy-repo-results.sarif"
severity: "CRITICAL,HIGH"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: "trivy-repo-results.sarif"
trivy-image-scan:
name: Trivy Image Scan
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
check-latest: true
- name: Build binary
run: |
make build_linux_amd64
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build Docker image for scanning
uses: docker/build-push-action@v6
with:
context: .
file: docker/Dockerfile
platforms: linux/amd64
push: false
load: true
tags: drone-ssh:scan
- name: Run Trivy vulnerability scanner (image)
uses: aquasecurity/trivy-action@master
with:
image-ref: "drone-ssh:scan"
format: "sarif"
output: "trivy-image-results.sarif"
severity: "CRITICAL,HIGH"
- name: Upload Trivy image scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: "trivy-image-results.sarif"
category: "trivy-image"