Trivy #1274
Trivy #1274
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| jobs: | ||
| trivy-scan: | ||
| name: Use Trivy | ||
| runs-on: ubuntu-24.04 |
There was a problem hiding this comment.
[maintainability]
Consider using a more stable version of Ubuntu, such as ubuntu-latest, to ensure compatibility and reduce maintenance overhead when newer versions are released.
| ignore-unfixed: true | ||
| format: 'sarif' | ||
| output: 'trivy-results.sarif' | ||
| severity: 'CRITICAL,HIGH,UNKNOWN' |
There was a problem hiding this comment.
[security]
Including UNKNOWN severity might lead to noisy results. Ensure that this is intentional and necessary for your security policy.
| - name: Upload Trivy scan results to GitHub Security tab | ||
| uses: github/codeql-action/upload-sarif@v3 | ||
| with: | ||
| sarif_file: 'trivy-results.sarif' No newline at end of file |
There was a problem hiding this comment.
[💡 style]
Ensure that the SARIF file path is correct and accessible. A missing newline at the end of the file might cause issues in some systems.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Use Trivy | ||
| runs-on: ubuntu-24.04 | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Run Trivy scanner in repo mode | ||
| uses: aquasecurity/[email protected] | ||
| with: | ||
| scan-type: 'fs' | ||
| ignore-unfixed: true | ||
| format: 'sarif' | ||
| output: 'trivy-results.sarif' | ||
| severity: 'CRITICAL,HIGH,UNKNOWN' | ||
| scanners: vuln,secret,misconfig,license | ||
| github-pat: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Upload Trivy scan results to GitHub Security tab | ||
| uses: github/codeql-action/upload-sarif@v3 | ||
| with: | ||
| sarif_file: 'trivy-results.sarif' No newline at end of file |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 15 days ago
To fix the problem, add the permissions block for the trivy-scan job (or for the root workflow if you want all jobs to inherit it). This block should enumerate the specific minimal permissions required for the current job steps:
contents: readis required by nearly all workflows to fetch and check out code.security-events: writeis needed to upload SARIF results to the GitHub Security tab usingcodeql-action/upload-sarif.
Add:
permissions:
contents: read
security-events: writeto the trivy-scan job definition, directly below runs-on. This ensures GITHUB_TOKEN has only these two permissions during job execution.
No external methods or imports are required; it's a YAML block edit.
| @@ -9,6 +9,9 @@ | ||
| trivy-scan: | ||
| name: Use Trivy | ||
| runs-on: ubuntu-24.04 | ||
| permissions: | ||
| contents: read | ||
| security-events: write | ||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 |
Related JIRA Ticket:
https://topcoder.atlassian.net/browse/
What's in this PR?
Enable Trivy for the repo.