mirror of
https://github.com/gin-gonic/gin.git
synced 2025-11-30 10:42:14 +08:00
5e5ff3ace4
- Remove the vulnerability-scanning job from the gin workflow - Add a dedicated Trivy security scan workflow with scheduled, push, pull request, and manual triggers - Improve Trivy scan output by uploading SARIF results to the GitHub Security tab and logging table output Signed-off-by: Bo-Yi Wu <appleboy.tw@gmail.com>
58 lines
1.5 KiB
YAML
58 lines
1.5 KiB
YAML
name: Trivy Security Scan
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- master
|
|
pull_request:
|
|
branches:
|
|
- master
|
|
schedule:
|
|
# Run every 3 months (quarterly) on the 1st day at 00:00 UTC
|
|
# Months: January (1), April (4), July (7), October (10)
|
|
- cron: '0 0 1 1,4,7,10 *'
|
|
workflow_dispatch: # Allow manual trigger
|
|
|
|
permissions:
|
|
contents: read
|
|
security-events: write # Required for uploading SARIF results
|
|
|
|
jobs:
|
|
trivy-scan:
|
|
name: Trivy Security Scan
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v5
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Run Trivy vulnerability scanner (source code)
|
|
uses: aquasecurity/trivy-action@0.33.1
|
|
with:
|
|
scan-type: 'fs'
|
|
scan-ref: '.'
|
|
scanners: 'vuln,secret,misconfig'
|
|
format: 'sarif'
|
|
output: 'trivy-results.sarif'
|
|
severity: 'CRITICAL,HIGH,MEDIUM'
|
|
ignore-unfixed: true
|
|
|
|
- name: Upload Trivy results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
if: always()
|
|
with:
|
|
sarif_file: 'trivy-results.sarif'
|
|
|
|
- name: Run Trivy scanner (table output for logs)
|
|
uses: aquasecurity/trivy-action@0.33.1
|
|
if: always()
|
|
with:
|
|
scan-type: 'fs'
|
|
scan-ref: '.'
|
|
scanners: 'vuln,secret,misconfig'
|
|
format: 'table'
|
|
severity: 'CRITICAL,HIGH,MEDIUM'
|
|
ignore-unfixed: true
|
|
exit-code: '1'
|