disable secrets and report on all vulns
This commit is contained in:
parent
7c75d04d52
commit
0f92cd592f
|
@ -2,26 +2,36 @@ name: Dependency Security Scan
|
|||
|
||||
on:
|
||||
pull_request:
|
||||
branches: 'main'
|
||||
branches: ['main']
|
||||
push:
|
||||
|
||||
jobs:
|
||||
trivy:
|
||||
name: Dependency Scan
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
if: (github.actor != 'dependabot[bot]')
|
||||
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
|
||||
# Fail the job on high/critical vulnerabiliies with fix available
|
||||
- name: Scan Dependencies and secrets
|
||||
# Report all vulnerabilities in CI output
|
||||
- name: Report on all vulnerabilities
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
ignore-unfixed: true
|
||||
hide-progress: true
|
||||
security-checks: 'vuln' # disable secrets scanning until public
|
||||
format: 'table'
|
||||
severity: 'HIGH,CRITICAL'
|
||||
|
||||
# Fail the job on critical vulnerabiliies with fix available
|
||||
- name: Fail on critical vulnerabilities
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
ignore-unfixed: true
|
||||
hide-progress: true
|
||||
security-checks: 'vuln' # disable secrets scanning until public
|
||||
format: 'table'
|
||||
severity: 'CRITICAL'
|
||||
exit-code: '1'
|
||||
|
|
Loading…
Reference in New Issue