t.behrendt/sec-workflows
1
0
Fork 0
Code Issues 2 Pull Requests 4 Actions Releases Activity

Compare commits

base: t.behrendt:0.2.1
Branches Tags
t.behrendt:main t.behrendt:refactor-to-osv-scanner t.behrendt:renovate/https-gitea.t000-n.de-t.behrendt-conventional-semantic-git-tag-increment-0.x t.behrendt:renovate/https-gitea.t000-n.de-t.behrendt-actions-0.x t.behrendt:renovate/https-gitea.t000-n.de-t.behrendt-trivy-actions-digest
t.behrendt:0.2.4 t.behrendt:0.2.3 t.behrendt:0.2.2 t.behrendt:0.2.1 t.behrendt:0.2.0 t.behrendt:0.1.2-rc-97ed0a241c52e8ce2fe90ae3b2c551d7256858a3 t.behrendt:0.1.1 t.behrendt:0.2.0-rc-4dde0beec8ac4781e9da3e43fcb27eb26c7d1a92 t.behrendt:0.1.0 t.behrendt:0.1.0-rc-f0811239154d86afcc96faf56f8fd7c1f14a9f7c
...
compare: t.behrendt:0.2.0-rc-4dde0beec8ac4781e9da3e43fcb27eb26c7d1a92
Branches Tags
t.behrendt:refactor-to-osv-scanner t.behrendt:renovate/https-gitea.t000-n.de-t.behrendt-conventional-semantic-git-tag-increment-0.x t.behrendt:renovate/https-gitea.t000-n.de-t.behrendt-actions-0.x t.behrendt:renovate/https-gitea.t000-n.de-t.behrendt-trivy-actions-digest t.behrendt:main
t.behrendt:0.2.4 t.behrendt:0.2.3 t.behrendt:0.2.2 t.behrendt:0.2.1 t.behrendt:0.2.0 t.behrendt:0.1.2-rc-97ed0a241c52e8ce2fe90ae3b2c551d7256858a3 t.behrendt:0.1.1 t.behrendt:0.2.0-rc-4dde0beec8ac4781e9da3e43fcb27eb26c7d1a92 t.behrendt:0.1.0 t.behrendt:0.1.0-rc-f0811239154d86afcc96faf56f8fd7c1f14a9f7c

1 Commits
0.2.1 ... 0.2.0-rc-4

Author SHA1 Message Date
Timo Behrendt
4dde0beec8 feat: add fs scan 2026-02-26 21:13:29 +01:00
1 changed files with 25 additions and 1 deletions
Expand all files Collapse all files

26
.gitea/workflows/run-trivy-scan.yaml
View File

@@ -23,6 +23,11 @@ on:
required: false
type: string
default: ""
scan-fs:
description: "Run Trivy file system scan on the repository root."
required: false
type: boolean
default: false
outputs:
merged-sarif-artifact:
description: "Artifact name containing the merged SARIF file (download this artifact; file inside is merged-sarif.json)."
@@ -110,9 +115,25 @@ jobs:
name: image-sarif
path: image-sarif.json
fs-scan:
if: inputs.scan-fs
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-trivy@1.4.4
- uses: https://gitea.t000-n.de/t.behrendt/trivy-actions/setup-db@1.4.4
- run: |
trivy fs --cache-dir "$TRIVY_CACHE_DIR" --exit-code 0 --format sarif --output fs-sarif.json --scanners vuln .
env:
TRIVY_CACHE_DIR: ${{ runner.temp }}/trivy
- uses: https://github.com/ChristopherHX/gitea-upload-artifact@v4
with:
name: fs-sarif
path: fs-sarif.json
merge:
runs-on: ubuntu-latest
needs: [config-scan, image-scan]
needs: [config-scan, image-scan, fs-scan]
if: always() && (needs.config-scan.result == 'success' || needs.config-scan.result == 'skipped') && (needs.image-scan.result == 'success' || needs.image-scan.result == 'skipped') && (inputs.scan-config || inputs.scan-images)
outputs:
merged-sarif-artifact: ${{ steps.outputs.outputs.merged-sarif-artifact }}
@@ -145,6 +166,9 @@ jobs:
if [ "${{ inputs.scan-images }}" = "true" ] && [ -f image-sarif-artifact/image-sarif.json ]; then
[ -n "$files" ] && files="$files"$'\n'" - image-sarif-artifact/image-sarif.json" || files="- image-sarif-artifact/image-sarif.json"
fi
if [ "${{ inputs.scan-fs }}" = "true" ] && [ -f fs-sarif-artifact/fs-sarif.json ]; then
[ -n "$files" ] && files="$files"$'\n'" - fs-sarif-artifact/fs-sarif.json" || files="- fs-sarif-artifact/fs-sarif.json"
fi
echo "files<<EOF" >> "$GITHUB_OUTPUT"
echo "$files" >> "$GITHUB_OUTPUT"
echo "EOF" >> "$GITHUB_OUTPUT"