apitech
/
grafana
mirror of https://github.com/grafana/grafana
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
The open and composable observability and data visualization platform. Visualize metrics, logs, and traces from multiple sources like Prometheus, Loki, Elasticsearch, InfluxDB, Postgres and many more.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
58406 Commits
5918 Branches
582 Tags
1.7 GiB
 
 
 
 
 
 
Tag: Branch: Tree: 23fa739a13
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '23fa739a13'
${ noResults }
grafana/.github/workflows/trivy-scan.yml

68 lines
2.3 KiB
Raw Blame History

name: Trivy Scan
on:
pull_request:
# only run on PRs where go.mod/go.sum/etc have been updated
paths:
- go.*
- .github/workflows/trivy-scan.yml
push:
branches:
- main
paths:
- go.*
- .github/workflows/trivy-scan.yml
jobs:
trivy-scan:
runs-on: ubuntu-22.04
steps:
- uses: actions/checkout@v4
- name: Install Trivy
uses: aquasecurity/setup-trivy@v0.2.2
with:
version: v0.56.2
cache: true
- name: Download Trivy DB
run: |
trivy fs --no-progress --download-db-only --db-repository public.ecr.aws/aquasecurity/trivy-db
- name: Run Trivy vulnerability scanner (table output)
# Use the trivy binary rather than the aquasecurity/trivy-action action
# to avoid a few bugs.
#
# We scan the file system rather than building the Docker image to only scan
# our direct dependencies. The Docker images are still scanned by
# Vulnerability Observability:
# - OSS: https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/projects/sources/1
# - Enterprise: https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/projects/sources/12
# (If these links are outdated, just go to the list and find the images manually.)
run: |
trivy fs \
--scanners vuln \
--format table \
--exit-code 1 \
--ignore-unfixed \
--pkg-types os,library \
--severity CRITICAL,HIGH \
--ignorefile .trivyignore \
--skip-files yarn.lock,package.json \
--skip-db-update \
.
- name: Run Trivy vulnerability scanner (SARIF)
# Use the trivy binary rather than the aquasecurity/trivy-action action
# to avoid a few bugs
run: |
trivy fs \
--scanners vuln \
--format sarif \
--output trivy-results.sarif \
--ignore-unfixed \
--pkg-types os,library \
--ignorefile .trivyignore \
--skip-db-update \
.
if: always() && github.repository == 'grafana/grafana'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
if: always() && github.repository == 'grafana/grafana'