name: Trivy Scan on: pull_request: # only run on PRs where go.mod/go.sum/etc have been updated paths: - go.* - .github/workflows/trivy-scan.yml push: branches: - main paths: - go.* - .github/workflows/trivy-scan.yml jobs: trivy-scan: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 - name: Install Trivy uses: aquasecurity/setup-trivy@v0.2.2 with: version: v0.56.2 cache: true - name: Download Trivy DB run: | trivy fs --no-progress --download-db-only --db-repository public.ecr.aws/aquasecurity/trivy-db - name: Run Trivy vulnerability scanner (table output) # Use the trivy binary rather than the aquasecurity/trivy-action action # to avoid a few bugs. # # We scan the file system rather than building the Docker image to only scan # our direct dependencies. The Docker images are still scanned by # Vulnerability Observability: # - OSS: https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/projects/sources/1 # - Enterprise: https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/projects/sources/12 # (If these links are outdated, just go to the list and find the images manually.) run: | trivy fs \ --scanners vuln \ --format table \ --exit-code 1 \ --ignore-unfixed \ --pkg-types os,library \ --severity CRITICAL,HIGH \ --ignorefile .trivyignore \ --skip-files yarn.lock,package.json \ --skip-db-update \ . - name: Run Trivy vulnerability scanner (SARIF) # Use the trivy binary rather than the aquasecurity/trivy-action action # to avoid a few bugs run: | trivy fs \ --scanners vuln \ --format sarif \ --output trivy-results.sarif \ --ignore-unfixed \ --pkg-types os,library \ --ignorefile .trivyignore \ --skip-db-update \ . if: always() && github.repository == 'grafana/grafana' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' if: always() && github.repository == 'grafana/grafana'