Commit f1c270f
authored
ci: add trivy filesystem scanning workflow (#148)
This commit provides a basic GHA to enable Trivy FS scanning on the main branch that can be invoked ad-hoc or through a `cron` schedule.
It scans from the root of repo and reports on `CRITICAL` or `HIGH` vulnerabilities that have fixes available. It will also scan for secrets. It will always exit with status code 0 and upload its results to the GitHub Security tab.
The workflow is configured to fire every Sunday at 6:00 AM UTC and also supports manually invoking it. I personally did not see any reason to run this on pull_requests and/or pushes to `main` branches as vulnerabilities could be disclosed / fixes made available **at any time**. Therefore, having it set on a weekly schedule as well as supported ad-hoc runs seems a reasonable way to manage.
Addtionally, the build has an `if:` conditional to prevent the `schedule` runs from running on forks in an attempt to be a good/responsible github citizen.
Signed-off-by: Andy Stoneberg <[email protected]>1 parent 89271a2 commit f1c270f
1 file changed
+34
-0
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
0 commit comments