diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml new file mode 100644 index 0000000..ce94420 --- /dev/null +++ b/.github/workflows/security-scan.yml @@ -0,0 +1,30 @@ +name: Security Scan + +on: + pull_request: + +jobs: + grype-security-scan: + runs-on: ubuntu-latest + name: Grype + permissions: + contents: read + security-events: write + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - name: Security Scan + id: grype-scan + uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2 + with: + path: "." + fail-build: true + only-fixed: true + severity-cutoff: "high" + output-format: "sarif" + + - name: Upload scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4 + with: + sarif_file: ${{ steps.grype-scan.outputs.sarif }} + category: "grype" diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml deleted file mode 100644 index 8128995..0000000 --- a/.github/workflows/trivy.yml +++ /dev/null @@ -1,33 +0,0 @@ -name: Trivy Scan - -on: - pull_request: - -jobs: - trivy-code-security-scan: - runs-on: ubuntu-latest - name: Trivy - permissions: - contents: read - security-events: write - steps: - - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 - - name: Security Scan - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0 - with: - scan-type: 'fs' - scanners: vuln,secret - exit-code: 1 - ignore-unfixed: true - format: 'sarif' - output: 'trivy-results.sarif' - env: - TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db - TRIVY_USERNAME: ${{ github.actor }} - TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4 - with: - sarif_file: 'trivy-results.sarif'