add trivy.yml (#69)

* add trivy.yml * update package-lock.json * add irrelevant esbuild issues to trivyignore
wmo-im · Nov 6, 2024 · 043d639 · 043d639
1 parent 65e8b20
commit 043d639
Show file tree

Hide file tree

Showing 3 changed files with 619 additions and 480 deletions.
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -0,0 +1,26 @@
+name: Run Trivy vulnerability scanner
+
+on: [ push ]
+
+jobs:
+  main:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Build wis2box-webapp
+        run: |
+          docker build -t wis2box-webapp:test .
+      - name: Run Trivy vulnerability scanner on wis2box-webapp
+        uses: aquasecurity/trivy-action@0.20.0
+        env:
+          TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
+          TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
+        with:
+          image-ref: 'wis2box-webapp:test'
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+          ignorefile: '.trivyignore'
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,4 @@
+# our image does not use the network features of esbuild https://esbuild.github.io/api/#serve
+CVE-2024-24790
+CVE-2023-45288
+CVE-2024-34156