Skip to content
Trivy Scan

Merge pull request #2884 from OpenC3/maint/login #4852

Sign in to view logs

Merge pull request #2884 from OpenC3/maint/login

Merge pull request #2884 from OpenC3/maint/login #4852

Workflow file for this run

.github/workflows/trivy.yml at 02086f8
# Copyright 2026 OpenC3, Inc.
# All Rights Reserved.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
# See LICENSE.md for more details.
# This file may also be used under the terms of a commercial license
# if purchased from OpenC3, Inc.
name: Trivy Scan
# Only run on a push to main to avoid running for all the dependabot PRs
on:
push:
branches:
- main
pull_request:
branches:
- "**"
# Workaround for https://github.com/aquasecurity/trivy-action/issues/389
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
jobs:
openc3-scan:
if: ${{ github.actor != 'dependabot[bot]' }}
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v6
- name: openc3.sh build
id: build
# This `shell` line is required to get around a known issue: https://github.com/actions/runner/issues/241#issuecomment-745902718
shell: 'script -q -e -c "bash {0}"'
run: ./openc3.sh build
env:
OPENC3_TAG: ${{ github.sha }}
- name: Manual Trivy Setup
uses: aquasecurity/setup-trivy@v0.2.5
with:
cache: true
version: v0.68.2
- name: Run Trivy on image ruby
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
# See https://github.com/aquasecurity/trivy-action
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-ruby:${{ github.sha }}"
# output: "trivy-ruby.sarif"
trivy-config: trivy.yaml
skip-setup-trivy: true
# NOTE: Disabling upload of SARIF files so we can see the output in the job
# like with COSMOS Enterprise. To re-enable, uncomment the Upload lines,
# and output: "trivy-ruby.sarif" as well as setting format: "sarif" in trivy.yaml.
#
# - name: Upload Trivy scan results
# if: ${{ !cancelled() && steps.build.outcome == 'success' }}
# uses: github/codeql-action/upload-sarif@v3
# with:
# category: "openc3-ruby"
# sarif_file: "trivy-ruby.sarif"
- name: Run Trivy on image node
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-node:${{ github.sha }}"
# output: "trivy-node.sarif"
trivy-config: trivy.yaml
skip-setup-trivy: true
# - name: Upload Trivy scan results
# if: ${{ !cancelled() && steps.build.outcome == 'success' }}
# uses: github/codeql-action/upload-sarif@v3
# with:
# category: "openc3-node"
# sarif_file: "trivy-node.sarif"
- name: Run Trivy on image base
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-base:${{ github.sha }}"
# output: "trivy-base.sarif"
trivy-config: trivy.yaml
skip-setup-trivy: true
# - name: Upload Trivy scan results
# if: ${{ !cancelled() && steps.build.outcome == 'success' }}
# uses: github/codeql-action/upload-sarif@v3
# with:
# category: "openc3-base"
# sarif_file: "trivy-base.sarif"
- name: Run Trivy on image cosmos-init
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-cosmos-init:${{ github.sha }}"
# output: "trivy-init.sarif"
trivy-config: trivy.yaml
skip-setup-trivy: true
# - name: Upload Trivy scan results
# if: ${{ !cancelled() && steps.build.outcome == 'success' }}
# uses: github/codeql-action/upload-sarif@v3
# with:
# category: "openc3-init"
# sarif_file: "trivy-init.sarif"
- name: Run Trivy on image redis
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-redis:${{ github.sha }}"
# output: "trivy-redis.sarif"
trivy-config: trivy.yaml
skip-setup-trivy: true
# - name: Upload Trivy scan results
# if: ${{ !cancelled() && steps.build.outcome == 'success' }}
# uses: github/codeql-action/upload-sarif@v3
# with:
# category: "openc3-redis"
# sarif_file: "trivy-redis.sarif"
- name: Run Trivy on image bucket
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-buckets:${{ github.sha }}"
# output: "trivy-bucket.sarif"
trivy-config: trivy.yaml
skip-setup-trivy: true
# - name: Upload Trivy scan results
# if: ${{ !cancelled() && steps.build.outcome == 'success' }}
# uses: github/codeql-action/upload-sarif@v3
# with:
# category: "openc3-buckets"
# sarif_file: "trivy-bucket.sarif"
- name: Run Trivy on image tsdb
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-tsdb:${{ github.sha }}"
# output: "trivy-tsdb.sarif"
trivy-config: trivy.yaml
skip-setup-trivy: true
# - name: Upload Trivy scan results
# if: ${{ !cancelled() && steps.build.outcome == 'success' }}
# uses: github/codeql-action/upload-sarif@v3
# with:
# category: "openc3-tsdb"
# sarif_file: "trivy-tsdb.sarif"
- name: Run Trivy on image operator
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-operator:${{ github.sha }}"
# output: "trivy-operator.sarif"
trivy-config: trivy.yaml
skip-setup-trivy: true
# - name: Upload Trivy scan results
# if: ${{ !cancelled() && steps.build.outcome == 'success' }}
# uses: github/codeql-action/upload-sarif@v3
# with:
# category: "openc3-operator"
# sarif_file: "trivy-operator.sarif"
- name: Run Trivy on image cmd-tlm-api
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-cosmos-cmd-tlm-api:${{ github.sha }}"
# output: "trivy-cmd-tlm-api.sarif"
trivy-config: trivy.yaml
skip-setup-trivy: true
# - name: Upload Trivy scan results
# if: ${{ !cancelled() && steps.build.outcome == 'success' }}
# uses: github/codeql-action/upload-sarif@v3
# with:
# category: "openc3-cmd-tlm-api"
# sarif_file: "trivy-cmd-tlm-api.sarif"
- name: Run Trivy on image script-runner-api
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-cosmos-script-runner-api:${{ github.sha }}"
# output: "trivy-script-runner-api.sarif"
trivy-config: trivy.yaml
skip-setup-trivy: true
# - name: Upload Trivy scan results
# if: ${{ !cancelled() && steps.build.outcome == 'success' }}
# uses: github/codeql-action/upload-sarif@v3
# with:
# category: "openc3-script-runner-api"
# sarif_file: "trivy-script-runner-api.sarif"
- name: Run Trivy on image traefik
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/openc3inc/openc3-traefik:${{ github.sha }}"
# output: "trivy-traefik.sarif"
trivy-config: trivy.yaml
skip-setup-trivy: true
# - name: Upload Trivy scan results
# if: ${{ !cancelled() && steps.build.outcome == 'success' }}
# uses: github/codeql-action/upload-sarif@v3
# with:
# category: "openc3-traefik"
# sarif_file: "trivy-traefik.sarif"
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots
if: ${{ !cancelled() && steps.build.outcome == 'success' }}
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
format: "github"
exit-code: 0
output: "dependency-results.sbom.json"
image-ref: "."
github-pat: ${{ secrets.GITHUB_TOKEN }}
# - uses: anchore/scan-action/download-grype@v3
# id: grype
# - name: Run grype on the image ruby
# run: ${{steps.grype.outputs.cmd}} docker.io/openc3inc/openc3-ruby:latest
# - name: Run grype on the image node
# run: ${{steps.grype.outputs.cmd}} docker.io/openc3inc/openc3-node:latest
# - name: Run grype on the image base
# run: ${{steps.grype.outputs.cmd}} docker.io/openc3inc/openc3-base:latest
# - name: Run grype on the image init
# run: ${{steps.grype.outputs.cmd}} docker.io/openc3inc/openc3-cosmos-init:latest
# - name: Run grype on the image redis
# run: ${{steps.grype.outputs.cmd}} docker.io/openc3inc/openc3-redis:latest
# - name: Run grype on the image bucket
# run: ${{steps.grype.outputs.cmd}} docker.io/openc3inc/openc3-buckets:latest
# - name: Run grype on the image tsdb
# run: ${{steps.grype.outputs.cmd}} docker.io/openc3inc/openc3-tsdb:latest
# - name: Run grype on the image operator
# run: ${{steps.grype.outputs.cmd}} docker.io/openc3inc/openc3-operator:latest
# - name: Run grype on the image cmd-tlm-api
# run: ${{steps.grype.outputs.cmd}} docker.io/openc3inc/openc3-cosmos-cmd-tlm-api:latest
# - name: Run grype on the image script-runner-api
# run: ${{steps.grype.outputs.cmd}} docker.io/openc3inc/openc3-cosmos-script-runner-api:latest
# - name: Run grype on the image traefik
# run: ${{steps.grype.outputs.cmd}} docker.io/openc3inc/openc3-traefik:latest