From 9a0e8184037c0bdffaf30f7e087b67977339645b Mon Sep 17 00:00:00 2001 From: hgn Date: Wed, 15 Jan 2025 23:22:45 +0100 Subject: [PATCH] Update .github/workflows.yaml --- .github/workflows.yaml | 42 ++++++++++++++++++++++++++---------------- 1 file changed, 26 insertions(+), 16 deletions(-) diff --git a/.github/workflows.yaml b/.github/workflows.yaml index 394c807..9b665f7 100644 --- a/.github/workflows.yaml +++ b/.github/workflows.yaml @@ -1,19 +1,29 @@ -name: Gitea Actions Demo -run-name: ${{ gitea.actor }} is testing out Gitea Actions 🚀 -on: [push] - +name: build +on: + push: + branches: + - main + - devpod + pull_request: jobs: - Explore-Gitea-Actions: - runs-on: ubuntu-latest + build: + name: Build + runs-on: ubuntu-20.04 steps: - - run: echo "🎉 The job was automatically triggered by a ${{ gitea.event_name }} event." - - run: echo "🐧 This job is now running on a ${{ runner.os }} server hosted by Gitea!" - - run: echo "🔎 The name of your branch is ${{ gitea.ref }} and your repository is ${{ gitea.repository }}." - - name: Check out repository code + - name: Checkout code uses: actions/checkout@v4 - - run: echo "💡 The ${{ gitea.repository }} repository has been cloned to the runner." - - run: echo "🖥️ The workflow is now ready to test your code on the runner." - - name: List files in the repository - run: | - ls ${{ gitea.workspace }} - - run: echo "🍏 This job's status is ${{ job.status }}." \ No newline at end of file + + - name: Run Trivy vulnerability scanner in IaC mode + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: 'config' + hide-progress: true + format: 'sarif' + output: 'trivy-results.sarif' + exit-code: '1' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: 'trivy-results.sarif' \ No newline at end of file