Skip to content
Trivy Image and Dependency Scan

security: add security guidelines for agents (atlan-python) #165

Sign in to view logs

security: add security guidelines for agents (atlan-python)

security: add security guidelines for agents (atlan-python) #165

Workflow file for this run

.github/workflows/trivy.yml at 7af92d1
name: Trivy Image and Dependency Scan
on:
pull_request:
types: [opened, synchronize, reopened]
branches: [main]
push:
branches: [main]
permissions:
contents: read
pull-requests: write
actions: read
security-events: write
jobs:
trivy:
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Log in to Chainguard Container Registry
uses: docker/login-action@v4
with:
registry: cgr.dev
username: ${{ secrets.CHAINGUARD_USERNAME }}
password: ${{ secrets.CHAINGUARD_PASSWORD }}
- name: Build image
uses: docker/build-push-action@v7
with:
context: .
file: ./Dockerfile
push: false
load: true
tags: pyatlan-trivy:latest
- name: Trivy image scan (table)
uses: aquasecurity/trivy-action@0.34.2
with:
image-ref: pyatlan-trivy:latest
scanners: 'vuln'
version: 'v0.69.0'
ignore-unfixed: true
format: 'table'
output: 'trivy-image.txt'
severity: 'CRITICAL,HIGH'
exit-code: '0'
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
- name: Show Trivy image table
if: always()
shell: bash
run: |
echo "Trivy image scan (table)";
if [ -f trivy-image.txt ]; then
cat trivy-image.txt;
else
echo "No trivy-image.txt output found.";
fi
- name: Trivy image scan (SARIF)
uses: aquasecurity/trivy-action@0.34.2
with:
image-ref: pyatlan-trivy:latest
scanners: 'vuln'
version: 'v0.69.0'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-image.sarif'
severity: 'CRITICAL,HIGH'
exit-code: '0'
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
- name: Trivy dependency scan (uv.lock, table)
uses: aquasecurity/trivy-action@0.34.2
with:
scan-type: fs
scan-ref: uv.lock
scanners: 'vuln'
version: 'v0.69.0'
ignore-unfixed: true
format: 'table'
output: 'trivy-deps.txt'
severity: 'CRITICAL,HIGH'
exit-code: '0'
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
- name: Show Trivy dependency table
if: always()
shell: bash
run: |
echo "Trivy dependency scan (table)";
if [ -f trivy-deps.txt ]; then
cat trivy-deps.txt;
else
echo "No trivy-deps.txt output found.";
fi
- name: Trivy dependency scan (uv.lock, SARIF)
uses: aquasecurity/trivy-action@0.34.2
with:
scan-type: fs
scan-ref: uv.lock
scanners: 'vuln'
version: 'v0.69.0'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-deps.sarif'
severity: 'CRITICAL,HIGH'
exit-code: '0'
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
- name: Upload Trivy image results
if: github.event.repository.security_and_analysis.advanced_security.status == 'enabled'
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-image.sarif'
category: 'trivy-image'
- name: Upload Trivy dependency results
if: github.event.repository.security_and_analysis.advanced_security.status == 'enabled'
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-deps.sarif'
category: 'trivy-deps'
- name: Publish Trivy summary
if: always()
shell: bash
run: |
{
echo "## Trivy Image Scan (pyatlan-trivy:latest)";
echo "";
if [ -f trivy-image.txt ]; then
echo '```';
cat trivy-image.txt;
echo '```';
else
echo "No image scan output found.";
fi
echo "";
echo "## Trivy Dependency Scan (uv.lock)";
echo "";
if [ -f trivy-deps.txt ]; then
echo '```';
cat trivy-deps.txt;
echo '```';
else
echo "No dependency scan output found.";
fi
} >> "$GITHUB_STEP_SUMMARY"
- name: Fail on High/Critical vulnerabilities (image)
uses: aquasecurity/trivy-action@0.34.2
with:
image-ref: pyatlan-trivy:latest
scanners: 'vuln'
version: 'v0.69.0'
ignore-unfixed: true
format: 'table'
severity: 'CRITICAL,HIGH'
exit-code: '1'
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
- name: Fail on High/Critical vulnerabilities (uv.lock)
uses: aquasecurity/trivy-action@0.34.2
with:
scan-type: fs
scan-ref: uv.lock
scanners: 'vuln'
version: 'v0.69.0'
ignore-unfixed: true
format: 'table'
severity: 'CRITICAL,HIGH'
exit-code: '1'
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2