File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 6262 with :
6363 category : " /language:${{matrix.language}}"
6464
65- # Job 2: Fast Dependency (SCA) and Infrastructure-as-Code (IaC) Scan
65+ # Job 2: Fast Dependency (SCA) and Infrastructure-as-Code (IaC) Scan
6666 supply-chain :
6767 name : Trivy Security Scan
6868 runs-on : ' ubuntu-latest'
@@ -75,13 +75,14 @@ jobs:
7575 uses : actions/checkout@v4
7676
7777 - name : Run Trivy Vulnerability Scanner
78- uses : aquasecurity/trivy-action@master
78+ uses : aquasecurity/trivy-action@v0.36.0 # Pinned to a stable release version
7979 with :
80- scan-type : ' fs' # Scans the entire file system of the repo
81- security-checks : ' vuln,config' # 'vuln' catches bad dependencies, 'config' catches Docker/IaC flaws
82- format : ' sarif' # Generates a standard format GitHub understands
80+ scan-type : ' fs'
81+ scan-ref : ' .' # Explicitly targets the repo root directory
82+ scanners : ' vuln,config' # Replaced 'security-checks' with the valid 'scanners' input
83+ format : ' sarif'
8384 output : ' trivy-results.sarif'
84- severity : ' CRITICAL,HIGH' # Filters out low-priority noise
85+ severity : ' CRITICAL,HIGH'
8586
8687 - name : Upload Trivy results to GitHub Security
8788 uses : github/codeql-action/upload-sarif@v4
You can’t perform that action at this time.
0 commit comments