diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 91668a2..0517031 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -13,8 +13,8 @@ on: - cron: '23 20 * * 2' jobs: - scan-trivy: - name: sec-scan-trivy + repository-scan: + name: Repository scan runs-on: ubuntu-latest steps: - name: Checkout @@ -35,3 +35,27 @@ jobs: uses: github/codeql-action/upload-sarif@v2 with: sarif_file: 'trivy-results.sarif' + + helm-scan: + name: Helm scan + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + security-checks: 'vuln,config,secret' + scan-ref: 'chart' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-helm-results.sarif' + severity: 'LOW,MEDIUM,HIGH,CRITICAL' + skip-dirs: 'tests' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-helm-results.sarif' diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f71c670..9cf02de 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -62,7 +62,7 @@ jobs: load: true tags: ghcr.io/infratographer/fertilesoil/treeman:latest - - name: Run Trivy vulnerability scanner + - name: Run Trivy vulnerability scanner on container image uses: aquasecurity/trivy-action@master with: image-ref: ghcr.io/infratographer/fertilesoil/treeman:latest @@ -70,12 +70,9 @@ jobs: ignore-unfixed: true severity: 'HIGH,CRITICAL' format: 'sarif' - output: 'trivy-results.sarif' + output: 'trivy-img-results.sarif' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 with: - sarif_file: 'trivy-results.sarif' - - - name: Inspect action SARIF report - run: cat 'trivy-results.sarif' + sarif_file: 'trivy-img-results.sarif'