chore(deps): bump actions/attest-build-provenance (#14) #73
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Scan IaC Configs for Vulnerabilities | |
| on: | |
| push: | |
| branches: ["main"] | |
| pull_request: | |
| jobs: | |
| configs: | |
| permissions: | |
| contents: read # To checkout and read repository | |
| security-events: write # To upload to security tab | |
| name: Scan Configs | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/[email protected] | |
| - name: Run Trivy Vulnerability Scanner in IaC Mode | |
| uses: aquasecurity/[email protected] | |
| with: | |
| scan-type: "config" | |
| hide-progress: true | |
| format: "sarif" | |
| output: "trivy-results.sarif" | |
| exit-code: "1" | |
| severity: "CRITICAL,HIGH,MEDIUM" | |
| # NOTE: By default SARIF format enforces output of | |
| # all vulnerabilities regardless of configured severities. | |
| limit-severities-for-sarif: true | |
| - name: Upload Trivy Scan Results to GitHub Security Tab | |
| if: always() | |
| uses: github/codeql-action/[email protected] | |
| with: | |
| sarif_file: "trivy-results.sarif" | |
| category: "IaC-Config" |