Skip to content

Commit 963bef7

Browse files
authored
Update Trivy action version and parameters
Pinned Trivy action to a stable release version and updated input parameters for the scanner.
1 parent d460119 commit 963bef7

1 file changed

Lines changed: 7 additions & 6 deletions

File tree

.github/workflows/codeql.yml

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,7 @@ jobs:
6262
with:
6363
category: "/language:${{matrix.language}}"
6464

65-
# Job 2: Fast Dependency (SCA) and Infrastructure-as-Code (IaC) Scan
65+
# Job 2: Fast Dependency (SCA) and Infrastructure-as-Code (IaC) Scan
6666
supply-chain:
6767
name: Trivy Security Scan
6868
runs-on: 'ubuntu-latest'
@@ -75,13 +75,14 @@ jobs:
7575
uses: actions/checkout@v4
7676

7777
- name: Run Trivy Vulnerability Scanner
78-
uses: aquasecurity/trivy-action@master
78+
uses: aquasecurity/trivy-action@v0.36.0 # Pinned to a stable release version
7979
with:
80-
scan-type: 'fs' # Scans the entire file system of the repo
81-
security-checks: 'vuln,config' # 'vuln' catches bad dependencies, 'config' catches Docker/IaC flaws
82-
format: 'sarif' # Generates a standard format GitHub understands
80+
scan-type: 'fs'
81+
scan-ref: '.' # Explicitly targets the repo root directory
82+
scanners: 'vuln,config' # Replaced 'security-checks' with the valid 'scanners' input
83+
format: 'sarif'
8384
output: 'trivy-results.sarif'
84-
severity: 'CRITICAL,HIGH' # Filters out low-priority noise
85+
severity: 'CRITICAL,HIGH'
8586

8687
- name: Upload Trivy results to GitHub Security
8788
uses: github/codeql-action/upload-sarif@v4

0 commit comments

Comments
 (0)