-
Notifications
You must be signed in to change notification settings - Fork 0
78 lines (69 loc) · 3.35 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
name: Aqua
on: pull_request
jobs:
aqua:
name: trivy
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
# container-test-job:
# runs-on: ubuntu-latest
# container:
# image: 151013160191/trivy-user-test:tagname
# env:
# AQUA_KEY: ${{ secrets.AQUA_KEY_CNAPP_DEV }}
# AQUA_SECRET: ${{ secrets.AQUA_SECRET_CNAPP_DEV }}
# GITHUB_TOKEN: ${{ github.token }}
# AQUA_URL: https://api.dev.supply-chain.cloud.aquasec.com
# CSPM_URL: https://stage.api.cloudsploit.com
# TRIVY_RUN_AS_PLUGIN: 'aqua'
# volumes:
# - /home/runner/work/_temp/_github_home:/gituser/home
# - /var/run/docker.sock:/var/run/docker.sock
# - /home/runner/work/_temp/_github_home:/github/home
# - /home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/chat-app/chat-app":"/github/workspace"
# steps:
# - name: Check for dockerenv file
# run: |
# trivy fs --scanners config,vuln,secret .
- name: Run Aqua scanner- trivytestdocker
uses: docker://aquasec/aqua-scanner:latest
with:
args: trivy fs --scanners config,vuln,secret --debug .
# To customize which severities to scan for, add the following flag: --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
# # To enable SAST scanning, add: --sast
# # To enable reachability scanning, add: --reachability
# # To enable npm/dotnet non-lock file scanning, add: --package-json / --dotnet-proj
# volumes:
# - my_docker_volume:/volume_mount
env:
AQUA_KEY: ${{ secrets.AQUA_KEY_CNAPP_DEV }}
AQUA_SECRET: ${{ secrets.AQUA_SECRET_CNAPP_DEV }}
GITHUB_TOKEN: ${{ github.token }}
AQUA_URL: https://api.dev.supply-chain.cloud.aquasec.com
CSPM_URL: https://stage.api.cloudsploit.com
TRIVY_RUN_AS_PLUGIN: 'aqua'
# For http/https proxy configuration add env vars: HTTP_PROXY/HTTPS_PROXY, CA-CRET (path to CA certificate)
# - name: Run Trivy vulnerability scanner in IaC mode
# # uses: aquasecurity/trivy-action@master
# # with:
# # scan-type: 'fs'
# # security-checks: 'vuln,config,secret'
# # hide-progress: false
# # format: 'table'
# # # Customizing which severities are scanned for is done by adding the following flag: severity: 'UNKNOWN','LOW','MEDIUM','HIGH','CRITICAL'
# run: |
# trivyVersion=0.32.0
# curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b . v${trivyVersion}
# ./trivy plugin install github.com/tzurielweisberg/plugin-version
# ./trivy fs --debug --scanners secret --package-json .
# env:
# # AQUA_KEY: b3L9KDF8q9u0C9PG46Ogub
# # AQUA_SECRET: IvApjjTavkLcaJeAXpLfzmymtF9tDIB1xim
# AQUA_KEY: ${{secrets.AQUA_KEY}}
# AQUA_SECRET: ${{secrets.AQUA_SECRET}}
# GITHUB_TOKEN: ${{secrets.GH_TOKEN}} #${{ github.token }}
# AQUA_URL: https://api.dev.supply-chain.cloud.aquasec.com
# CSPM_URL: https://stage.api.cloudsploit.com
# TRIVY_RUN_AS_PLUGIN: 'aqua'