Merge pull request #87 from marinade-finance/trivy-update

trivy: update - do not omit report on fail
marinade-finance · Jan 23, 2025 · 1973861 · 1973861
2 parents aed5e7e + 853a189
commit 1973861
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 27 deletions.
diff --git a/.github/workflows/trivy-scan.yaml b/.github/workflows/trivy-scan.yaml
@@ -6,31 +6,43 @@ jobs:
     name: Scan
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout project
-      uses: actions/checkout@v4
+      - name: Checkout project
+        uses: actions/checkout@v4
 
-    - name: Run Trivy scanner
-      uses: aquasecurity/trivy-action@master
-      env:
-        TRIVY_SKIP_DB_UPDATE: true
-        TRIVY_SKIP_JAVA_DB_UPDATE: true
-      with:
-        scan-type: fs
-        format: table
-        scan-ref: .
-        hide-progress: false
-        output: trivy.txt
-        severity: CRITICAL
-        ignore-unfixed: true
-        exit-code: 1
+      - name: Run Trivy scanner - generate update
+        uses: aquasecurity/trivy-action@master
+        env:
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
+        with:
+          scan-type: fs
+          format: table
+          scan-ref: .
+          hide-progress: false
+          output: trivy.txt
 
-    - name: Publish Trivy Output to Summary
-      run: |
-        if [[ -s trivy.txt ]]; then
-          {
-            echo "### Security Output"
-            echo '```terraform'
-            cat trivy.txt
-            echo '```'
-          } >> $GITHUB_STEP_SUMMARY
-        fi
+      - name: Publish Trivy Output to Summary
+        run: |
+          if [[ -s trivy.txt ]]; then
+            {
+              echo "### Security Output"
+              echo '```terraform'
+              cat trivy.txt
+              echo '```'
+            } >> $GITHUB_STEP_SUMMARY
+          fi
+
+      - name: Run Trivy scanner - Fail build on Criticial Vulnerabilities
+        uses: aquasecurity/trivy-action@master
+        env:
+          TRIVY_SKIP_DB_UPDATE: true
+          TRIVY_SKIP_JAVA_DB_UPDATE: true
+        with:
+          scan-type: fs
+          format: table
+          scan-ref: .
+          hide-progress: false
+          output: trivy.txt
+          severity: CRITICAL
+          ignore-unfixed: true
+          exit-code: 1
diff --git a/.github/workflows/trivy-udpate-cache.yaml b/.github/workflows/trivy-udpate-cache.yaml
@@ -5,7 +5,7 @@ name: Trivy - Cache Update
 on:
   workflow_dispatch:
   schedule:
-    - cron: '0 0 * * *'
+    - cron: "0 0 * * *"
 
 jobs:
   update-trivy-db: