Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security scan pipeline update #4177

Merged
merged 17 commits into from
Jan 16, 2025
+143 −36
Merged

Security scan pipeline update #4177

Changes from 1 commit
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
015c9b5
codeql settings update
AlexanderBarabanov Jan 15, 2025
6588556
codeql fix
AlexanderBarabanov Jan 15, 2025
0c5c08b
update trivy
AlexanderBarabanov Jan 15, 2025
601a9a6
update bandit
AlexanderBarabanov Jan 15, 2025
b60c9f3
trivy fix
AlexanderBarabanov Jan 15, 2025
cc9c166
trivy fix
AlexanderBarabanov Jan 15, 2025
8b34423
trivy fix
AlexanderBarabanov Jan 15, 2025
bcfa234
json output
AlexanderBarabanov Jan 15, 2025
5e037f9
trivy fix
AlexanderBarabanov Jan 15, 2025
2dc8cb9
trivy spdx
AlexanderBarabanov Jan 15, 2025
68dc05c
codeql added
AlexanderBarabanov Jan 15, 2025
4dd4ed4
bandit update
AlexanderBarabanov Jan 15, 2025
9806bab
remove bandit B320
AlexanderBarabanov Jan 15, 2025
7b3e4fa
remove bandit B410
AlexanderBarabanov Jan 15, 2025
d70043c
remove workflow_dispatch
AlexanderBarabanov Jan 15, 2025
f7ecfa4
revert trivy yaml
AlexanderBarabanov Jan 15, 2025
72a5b10
fix format
AlexanderBarabanov Jan 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
trivy fix
@AlexanderBarabanov
AlexanderBarabanov committed Jan 15, 2025
commit 8b344238435845890f8df3c8bef460c9559634d1
14 changes: 11 additions & 3 deletions .github/workflows/code_scan.yaml
View file
Original file line number Diff line number Diff line change
@@ -28,29 +28,37 @@ jobs:
- name: Freeze dependencies
run: pip-compile --extra=docs,base,mmlab,anomaly -o requirements.txt pyproject.toml

- name: Run Trivy Scan (vuln)
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
with:
scan-type: fs
scan-ref: requirements.txt
scanners: vuln
output: trivy-results-vuln.txt

- name: Trivy Scanning (spdx.json)
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
with:
scan-type: fs
scan-ref: .
format: spdx-json
output: trivy-results.spdx.json
output: trivy-results-spdx.json

- name: Run Trivy Scan (dockerfile and secrets)
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
if: always()
with:
scan-type: fs
scan-ref: .
scanners: misconfig,secret,vuln
scanners: misconfig,secret
output: trivy-results-misconfig.txt
skip-setup-trivy: true

- name: Upload Trivy results artifact
uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
with:
name: trivy-results
path: "${{ github.workspace }}/trivy-results.*"
path: "${{ github.workspace }}/trivy-results-*"
retention-days: 7
# Use always() to always run this step to publish scan results when there are test failures
if: ${{ always() }}