From a725270cda72bfae0cf61b6c1c3bf87f8607d0db Mon Sep 17 00:00:00 2001 From: Akshay Iyyadurai Balasundaram Date: Wed, 24 Jul 2024 11:22:26 +0200 Subject: [PATCH 1/3] chore: update dependencies in README --- README.md | 54 +++++++++++++++++++++++++++--------------------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/README.md b/README.md index f76e6945..b1fce107 100644 --- a/README.md +++ b/README.md @@ -39,7 +39,7 @@ jobs: run: | docker build -t docker.io/my-organization/my-app:${{ github.sha }} . - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.20.0 + uses: aquasecurity/trivy-action@0.24.0 with: image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' format: 'table' @@ -64,10 +64,10 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner in fs mode - uses: aquasecurity/trivy-action@0.20.0 + uses: aquasecurity/trivy-action@0.24.0 with: scan-type: 'fs' scan-ref: '.' @@ -109,7 +109,7 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Generate tarball from image run: | @@ -117,7 +117,7 @@ jobs: docker save -o vuln-image.tar - name: Run Trivy vulnerability scanner in tarball mode - uses: aquasecurity/trivy-action@0.20.0 + uses: aquasecurity/trivy-action@0.24.0 with: input: /github/workspace/vuln-image.tar severity: 'CRITICAL,HIGH' @@ -138,14 +138,14 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Build an image from Dockerfile run: | docker build -t docker.io/my-organization/my-app:${{ github.sha }} . - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.20.0 + uses: aquasecurity/trivy-action@0.24.0 with: image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' format: 'sarif' @@ -173,14 +173,14 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Build an image from Dockerfile run: | docker build -t docker.io/my-organization/my-app:${{ github.sha }} . - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.20.0 + uses: aquasecurity/trivy-action@0.24.0 with: image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' format: 'sarif' @@ -212,10 +212,10 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@0.20.0 + uses: aquasecurity/trivy-action@0.24.0 with: scan-type: 'fs' ignore-unfixed: true @@ -246,10 +246,10 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner with rootfs command - uses: aquasecurity/trivy-action@0.20.0 + uses: aquasecurity/trivy-action@0.24.0 with: scan-type: 'rootfs' scan-ref: 'rootfs-example-binary' @@ -281,10 +281,10 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner in IaC mode - uses: aquasecurity/trivy-action@0.20.0 + uses: aquasecurity/trivy-action@0.24.0 with: scan-type: 'config' hide-progress: true @@ -325,10 +325,10 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph - uses: aquasecurity/trivy-action@0.20.0 + uses: aquasecurity/trivy-action@0.24.0 with: scan-type: 'fs' format: 'github' @@ -359,7 +359,7 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Scan image in a private registry - uses: aquasecurity/trivy-action@0.20.0 + uses: aquasecurity/trivy-action@0.24.0 with: image-ref: "private_image_registry/image_name:image_tag" scan-type: image @@ -399,10 +399,10 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.20.0 + uses: aquasecurity/trivy-action@0.24.0 with: image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' format: 'sarif' @@ -435,10 +435,10 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.20.0 + uses: aquasecurity/trivy-action@0.24.0 with: image-ref: 'aws_account_id.dkr.ecr.region.amazonaws.com/imageName:${{ github.sha }}' format: 'sarif' @@ -471,10 +471,10 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.20.0 + uses: aquasecurity/trivy-action@0.24.0 with: image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' format: 'sarif' @@ -504,10 +504,10 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.20.0 + uses: aquasecurity/trivy-action@0.24.0 with: image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' format: 'sarif' @@ -530,7 +530,7 @@ This step is especially useful for private repositories without [GitHub Advanced ```yaml - name: Run Trivy scanner - uses: aquasecurity/trivy-action@0.20.0 + uses: aquasecurity/trivy-action@0.24.0 with: scan-type: config hide-progress: true From 6eac2b63090de7075a920c084f07758b5fb536ed Mon Sep 17 00:00:00 2001 From: Akshay Iyyadurai Balasundaram Date: Wed, 24 Jul 2024 11:26:37 +0200 Subject: [PATCH 2/3] chore: update the actions/checkout version in documentation --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index b1fce107..b3473db2 100644 --- a/README.md +++ b/README.md @@ -34,7 +34,7 @@ jobs: runs-on: ubuntu-20.04 steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Build an image from Dockerfile run: | docker build -t docker.io/my-organization/my-app:${{ github.sha }} . From 6967d248208a9a21712a8613429e97ae171e2f7a Mon Sep 17 00:00:00 2001 From: Akshay Iyyadurai Balasundaram Date: Wed, 24 Jul 2024 13:11:17 +0200 Subject: [PATCH 3/3] chore: bump upload-sarif dependency from readme --- README.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index b3473db2..fc48a04a 100644 --- a/README.md +++ b/README.md @@ -152,7 +152,7 @@ jobs: output: 'trivy-results.sarif' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' ``` @@ -187,7 +187,7 @@ jobs: output: 'trivy-results.sarif' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 if: always() with: sarif_file: 'trivy-results.sarif' @@ -224,7 +224,7 @@ jobs: severity: 'CRITICAL' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' ``` @@ -259,7 +259,7 @@ jobs: severity: 'CRITICAL' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' ``` @@ -295,7 +295,7 @@ jobs: severity: 'CRITICAL,HIGH' - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' ``` @@ -412,7 +412,7 @@ jobs: TRIVY_PASSWORD: Password - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' ``` @@ -449,7 +449,7 @@ jobs: AWS_DEFAULT_REGION: us-west-2 - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' ``` @@ -483,7 +483,7 @@ jobs: GOOGLE_APPLICATION_CREDENTIAL: /path/to/credential.json - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' ``` @@ -517,7 +517,7 @@ jobs: TRIVY_PASSWORD: Password - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' ```