diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 91c2936..2ac4e13 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -1,8 +1,4 @@ -name: Vulnerability Scan -run-name: Vulnerability Scan for ${{ inputs.target }} ${{ inputs.image && format('({0})', inputs.image) || '' }} -# This workflow performs security vulnerability scanning on Docker images or source code -# using Trivy and Grype tools. It can be triggered manually via workflow_dispatch. - +name: Docker Security Scan on: workflow_dispatch: inputs: @@ -15,22 +11,21 @@ on: - docker - source image: - description: "Docker image (for docker). By default ghcr.io//:latest" + description: "Docker image (for 'docker' target). By default ghcr.io//:latest" required: false default: "" - type: string only-high-critical: - description: "Scope only HIGH + CRITICAL" + description: "Scan only HIGH + CRITICAL" required: false default: true type: boolean trivy-scan: - description: "Trivy scan" + description: "Run Trivy scan" required: false default: true type: boolean grype-scan: - description: "Grype scan" + description: "Run Grype scan" required: false default: true type: boolean @@ -40,13 +35,18 @@ on: default: true type: boolean +permissions: + contents: read + security-events: write + actions: read + jobs: security-scan: - uses: Netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@main + uses: netcracker/qubership-workflow-hub/.github/workflows/re-security-scan.yml@main with: - target: ${{ inputs.target }} - image: ${{ inputs.image }} - only-high-critical: ${{ inputs.only-high-critical }} + target: ${{ github.event.inputs.target || 'source' }} + image: ${{ github.event.inputs.image || '' }} + only-high-critical: ${{ inputs.only-high-critical}} trivy-scan: ${{ inputs.trivy-scan }} grype-scan: ${{ inputs.grype-scan }} - continue-on-error: ${{ inputs.continue-on-error }} + continue-on-error: ${{ inputs.continue-on-error }} \ No newline at end of file