44 lines
1.3 KiB
YAML
44 lines
1.3 KiB
YAML
name: checks-trivy
|
|
on:
|
|
workflow_call:
|
|
|
|
jobs:
|
|
checks-trivy:
|
|
name: checks-trivy
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- uses: hashicorp/setup-terraform@v2
|
|
with:
|
|
terraform_version: 1.5.7
|
|
cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
|
|
- name: Clone repo
|
|
uses: actions/checkout@v4
|
|
- name: Setup SSH key
|
|
uses: benoitchantre/setup-ssh-authentication-action@1.0.1
|
|
with:
|
|
private-key: ${{ secrets.SSH_PRIVATE_KEY }}
|
|
private-key-name: id_ed25519
|
|
known-hosts: ${{ secrets.SSH_KNOWN_HOSTS }}
|
|
- name: Run terraform init
|
|
shell: bash
|
|
run: terraform init
|
|
- name: Run Trivy vulnerability scanner in IaC mode (LOW/MED)
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
scan-type: "config"
|
|
hide-progress: false
|
|
format: "table"
|
|
exit-code: "0"
|
|
ignore-unfixed: true
|
|
severity: "LOW,MEDIUM"
|
|
- name: Run Trivy vulnerability scanner in IaC mode (HIGH/CRIT)
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
scan-type: "config"
|
|
hide-progress: false
|
|
format: "table"
|
|
exit-code: "1"
|
|
ignore-unfixed: true
|
|
severity: "CRITICAL,HIGH"
|