Adding code scan (#3) #348
Open
+136
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* adding basic trivy scan workflow (#1) * adding trivy scan workflow * fixed typo ubtuntu -> ubuntu * adding scan-type * switching to fs scanner * outputing to workflow summary and adding --scanners flag * correcting severity flag * sparse checking-out to examples * removing regex, only directory instead * adding the test_provider step to do terraform init * removing sparse checkout * added terraform init only * echoing pwd at terraform init * where is terraform init * init in each providers * init in each providers * initiating examples as well * adding medium severity * should not need terraform to scan * added action-tmate in steps * moved the tmate session to end of job * update Trivy to 0.59.0 * initiating examples as well * adding medium severity * should not need terraform to scan * added action-tmate in steps * moved the tmate session to end of job * update Trivy to 0.59.0 * skip setup trivy in trivy scan * cleaning up the workflow * converting back to sarif output * defaulting to latest Trivy * bumping action's version * adding severity level * adding a Todo * Workflow/individual scan (#2) * created script that creates directories to scan * make workflow use compose.sh * edit permisions * output to summary * output to summary * Update Trivy scan output format to JSON and add SARIF conversion step * Update Trivy scan output to use JSON format in summary * add cleanup * add tmate session after compose bash * cleaning up and commenting * Fix usage function and improve option parsing in compose.sh * figuring out if clean up is necessary * Remove redundant tmate session setup and cleanup steps from trivy_scan workflow * Update .gitignore to exclude scan files
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Content
Changes
Trivy scan
This new workflow configures Trivy, a static code analysis tool for IaC codebase and more. Trivy helps detect misconfigurations and vulnerabilities using the Aqua Security vulnerability database.
Scanning process
The
compose.shscript creates temporary directories grouped by provider so that Trivy can scan them individually. This approach avoids duplication of scan results caused by symlinks present in the repository structure. These symlinks improve maintainability and release workflows but confuse the scan output if not handled properly.Exporting results in Security tab
Trivy scan results are exported in SARIF format, allowing them to be displayed in the repository’s Security tab under Code Scanning Alerts.
Additionally, scan results are also output in JSON format and included in the GitHub Actions run summary for easier inspection during CI runs.