CI: scan code with trivy (#174)

j-chmielewski · j-chmielewski · commit 18015f4cd257 · 2025-09-30T09:44:42.000+02:00
* CI: scan code with trivy

* bump trivy action version

* include low severity vulns in sbom
diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml
@@ -69,7 +69,7 @@ jobs:
           cache-to: type=gha,mode=max
 
       - name: Scan image with Trivy
-        uses: aquasecurity/trivy-action@0.32.0
+        uses: aquasecurity/trivy-action@0.33.1
         with:
           image-ref: "${{ env.GHCR_REPO }}:${{ github.sha }}-${{ matrix.tag }}"
           format: "table"
diff --git a/.github/workflows/sbom.yml b/.github/workflows/sbom.yml
@@ -32,7 +32,8 @@ jobs:
           format: 'spdx-json'
           output: "defguard-proxy-${{ env.VERSION }}.sbom.json"
           scan-ref: '.'
-          severity: "CRITICAL,HIGH,MEDIUM"
+          severity: "CRITICAL,HIGH,MEDIUM,LOW"
+          scanners: "vuln"
 
       - name: Create docker image SBOM with Trivy
         uses: aquasecurity/trivy-action@0.33.1
@@ -41,7 +42,7 @@ jobs:
           scan-type: 'image'
           format: 'spdx-json'
           output: "defguard-proxy-${{ env.VERSION }}-docker.sbom.json"
-          severity: "CRITICAL,HIGH,MEDIUM"
+          severity: "CRITICAL,HIGH,MEDIUM,LOW"
           scanners: "vuln"
 
       - name: Upload SBOM
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -34,6 +34,15 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: recursive
+      - name: Scan code with Trivy
+        uses: aquasecurity/trivy-action@0.33.1
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+          exit-code: "1"
+          ignore-unfixed: true
+          severity: "CRITICAL,HIGH,MEDIUM"
+          scanners: "vuln"
       - name: Cache
         uses: Swatinem/rust-cache@v2
       - name: Install protoc
