Remove Trivy scans from container CVE scan workflow
Trivy-based scanning steps and their summaries have been removed from the GitHub Actions workflow. This change focuses on streamlining the workflow by reducing redundancy and relying on alternate scanning methods.
This commit is contained in:
@@ -55,50 +55,6 @@ jobs:
|
|||||||
provenance: false
|
provenance: false
|
||||||
sbom: false
|
sbom: false
|
||||||
|
|
||||||
- name: Trivy scan (backend)
|
|
||||||
uses: aquasecurity/trivy-action@0.24.0
|
|
||||||
with:
|
|
||||||
image-ref: nexapg-backend:dev-scan
|
|
||||||
format: json
|
|
||||||
output: trivy-backend.json
|
|
||||||
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
|
|
||||||
ignore-unfixed: false
|
|
||||||
exit-code: 0
|
|
||||||
|
|
||||||
- name: Trivy scan (frontend)
|
|
||||||
uses: aquasecurity/trivy-action@0.24.0
|
|
||||||
with:
|
|
||||||
image-ref: nexapg-frontend:dev-scan
|
|
||||||
format: json
|
|
||||||
output: trivy-frontend.json
|
|
||||||
severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
|
|
||||||
ignore-unfixed: false
|
|
||||||
exit-code: 0
|
|
||||||
|
|
||||||
- name: Summarize Trivy severities
|
|
||||||
run: |
|
|
||||||
python - <<'PY'
|
|
||||||
import json
|
|
||||||
from collections import Counter
|
|
||||||
|
|
||||||
def summarize(path):
|
|
||||||
c = Counter()
|
|
||||||
with open(path, "r", encoding="utf-8") as f:
|
|
||||||
data = json.load(f)
|
|
||||||
for result in data.get("Results", []):
|
|
||||||
for v in result.get("Vulnerabilities", []) or []:
|
|
||||||
c[v.get("Severity", "UNKNOWN")] += 1
|
|
||||||
for sev in ["CRITICAL", "HIGH", "MEDIUM", "LOW", "UNKNOWN"]:
|
|
||||||
c.setdefault(sev, 0)
|
|
||||||
return c
|
|
||||||
|
|
||||||
for label, path in [("backend", "trivy-backend.json"), ("frontend", "trivy-frontend.json")]:
|
|
||||||
s = summarize(path)
|
|
||||||
print(f"===== Trivy {label} =====")
|
|
||||||
print(f"CRITICAL={s['CRITICAL']} HIGH={s['HIGH']} MEDIUM={s['MEDIUM']} LOW={s['LOW']} UNKNOWN={s['UNKNOWN']}")
|
|
||||||
print()
|
|
||||||
PY
|
|
||||||
|
|
||||||
- name: Docker Scout scan (backend)
|
- name: Docker Scout scan (backend)
|
||||||
continue-on-error: true
|
continue-on-error: true
|
||||||
run: |
|
run: |
|
||||||
@@ -152,7 +108,5 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
name: container-cve-scan-reports
|
name: container-cve-scan-reports
|
||||||
path: |
|
path: |
|
||||||
trivy-backend.json
|
|
||||||
trivy-frontend.json
|
|
||||||
scout-backend.txt
|
scout-backend.txt
|
||||||
scout-frontend.txt
|
scout-frontend.txt
|
||||||
|
|||||||
Reference in New Issue
Block a user