diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index dc03ce2..e48c85d 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -7,42 +7,26 @@ on: - cron: '0 0 * * 0' # Run weekly on Sundays at midnight jobs: - trivy-scan: - name: Trivy Security Scan + grype-scan: + name: Grype Security Scan runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1 + - name: Run Grype vulnerability scanner + id: grype-scan + uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2 with: - scan-type: 'fs' - ignore-unfixed: true - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' + path: "." + only-fixed: true + output-format: "sarif" + severity-cutoff: "high" + fail-build: false - - name: Upload Trivy scan results to GitHub Security tab + - name: Upload Grype scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@19b2f06db2b6f5108140aeb04014ef02b648f789 # v4 if: always() with: - sarif_file: 'trivy-results.sarif' - category: 'trivy-fs' - - - name: Run Trivy vulnerability scanner in IaC mode - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1 - with: - scan-type: 'config' - hide-progress: false - format: 'sarif' - output: 'trivy-config-results.sarif' - exit-code: '1' - severity: 'CRITICAL,HIGH' - - - name: Upload Trivy IaC scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@19b2f06db2b6f5108140aeb04014ef02b648f789 # v4 - if: always() - with: - sarif_file: 'trivy-config-results.sarif' - category: 'trivy-config' \ No newline at end of file + sarif_file: ${{ steps.grype-scan.outputs.sarif }} + category: "grype" \ No newline at end of file