Skip to content

trivy

trivy #3

Workflow file for this run

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
name: trivy
on:
schedule:
- cron: '0 0 * * *' # do it every day
# push:
# branches:
# - '**' # matches every branch
# pull_request:
# branches:
# - '**'
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
build:
if: github.repository_owner == 'e-m-b-a'
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Trivy EMBA image check
runs-on: "ubuntu-20.04"
steps:
- name: Checkout EMBA
uses: actions/checkout@v3
- name: Free Disk Space
uses: jlumbroso/free-disk-space@main
with:
tool-cache: true
android: true
dotnet: true
haskell: true
large-packages: false
swap-storage: true
- name: Build trivy
run: |
git clone --branch 0.25.0 https://github.com/aquasecurity/trivy-action.git /tmp/trivy-action
sudo docker build -t d6f297:4714451b1eca4e41a4cc10f0a8a8c25a -f "/tmp/trivy-action/Dockerfile" "/tmp/trivy-action/"
- name: Run Trivy vulnerability scanner on EMBA image
run: |
sudo docker run --workdir /github/workspace --rm -e "INPUT_IMAGE-REF" -e "INPUT_FORMAT" -e "INPUT_TEMPLATE" \
-e "INPUT_OUTPUT" -e "INPUT_SEVERITY" -e "INPUT_TIMEOUT" -e "INPUT_SKIP-DIRS" -e "INPUT_SCAN-TYPE" -e "INPUT_INPUT" \
-e "INPUT_SCAN-REF" -e "INPUT_EXIT-CODE" -e "INPUT_IGNORE-UNFIXED" -e "INPUT_VULN-TYPE" -e "INPUT_SKIP-FILES" \
-e "INPUT_CACHE-DIR" -e "INPUT_IGNORE-POLICY" -e "INPUT_HIDE-PROGRESS" -e "INPUT_LIST-ALL-PKGS" -e "INPUT_SECURITY-CHECKS" \
-e "INPUT_TRIVYIGNORES" -e "INPUT_ARTIFACT-TYPE" -e "INPUT_GITHUB-PAT" -e "HOME" -e "GITHUB_JOB" -e "GITHUB_REF" \
-e "GITHUB_SHA" -e "GITHUB_REPOSITORY" -e "GITHUB_REPOSITORY_OWNER" -e "GITHUB_REPOSITORY_OWNER_ID" -e "GITHUB_RUN_ID" \
-e "GITHUB_RUN_NUMBER" -e "GITHUB_RETENTION_DAYS" -e "GITHUB_RUN_ATTEMPT" -e "GITHUB_REPOSITORY_ID" -e "GITHUB_ACTOR_ID" \
-e "GITHUB_ACTOR" -e "GITHUB_TRIGGERING_ACTOR" -e "GITHUB_WORKFLOW" -e "GITHUB_HEAD_REF" -e "GITHUB_BASE_REF" -e "GITHUB_EVENT_NAME" \
-e "GITHUB_SERVER_URL" -e "GITHUB_API_URL" -e "GITHUB_GRAPHQL_URL" -e "GITHUB_REF_NAME" -e "GITHUB_REF_PROTECTED" -e "GITHUB_REF_TYPE" \
-e "GITHUB_WORKFLOW_REF" -e "GITHUB_WORKFLOW_SHA" -e "GITHUB_WORKSPACE" -e "GITHUB_ACTION" -e "GITHUB_EVENT_PATH" -e "GITHUB_ACTION_REPOSITORY" \
-e "GITHUB_ACTION_REF" -e "GITHUB_PATH" -e "GITHUB_ENV" -e "GITHUB_STEP_SUMMARY" -e "GITHUB_STATE" -e "GITHUB_OUTPUT" -e "RUNNER_OS" -e "RUNNER_ARCH" \
-e "RUNNER_NAME" -e "RUNNER_ENVIRONMENT" -e "RUNNER_TOOL_CACHE" -e "RUNNER_TEMP" -e "RUNNER_WORKSPACE" -e "ACTIONS_RUNTIME_URL" -e "ACTIONS_RUNTIME_TOKEN" \
-e "ACTIONS_CACHE_URL" -e "ACTIONS_RESULTS_URL" -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" \
-v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" \
-v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/emba/emba":"/github/workspace" d6f297:4714451b1eca4e41a4cc10f0a8a8c25a \
"-a image" "-b template" "-c @/contrib/sarif.tpl" "-d " "-e false" "-f os,library" "-h trivy-results.sarif" \
"-i embeddedanalyzer/emba" \
"-j ." "-k /external/semgrep-rules,/external/routersploit,/external/arachni,/etc/ssl/private/,/external/jdk,/external/emba_venv/lib/python3.11/site-packages/cve_searchsploit/exploitdb,/external/dji-firmware-tools,/external/emba_venv/lib/python3.11/site-packages/binwalk*,/external/binwalk/src/plugins" \
"-l " "-m " "-n 60m" "-o " "-p " "-q " "-r false" "-s " "-t " "-u "
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'