From 77632b5a5aa0ac02c49922d51d3d72b37fdc6e48 Mon Sep 17 00:00:00 2001 From: Pohan Huang Date: Thu, 28 May 2026 13:32:17 +0800 Subject: [PATCH] ci: update trivy scan workflow with VEX support Signed-off-by: pohanhuang (cherry picked from commit 225e9a39aaa52b06e4e99220eaf789b3390ebc70) --- .github/workflows/scan.yml | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/.github/workflows/scan.yml b/.github/workflows/scan.yml index 1c08feb3..d9af513e 100644 --- a/.github/workflows/scan.yml +++ b/.github/workflows/scan.yml @@ -3,22 +3,25 @@ on: push: branches: - master - - 'v**' + - 'v*' pull_request: jobs: build: name: Build - runs-on: ubuntu-24.04 + runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Download Rancher's VEX Hub report - run: curl -fsSO https://raw.githubusercontent.com/rancher/vexhub/refs/heads/main/reports/rancher.openvex.json + run: | + curl -fsSL -H "Accept: application/vnd.git-lfs+json" \ + "https://media.githubusercontent.com/media/rancher/vexhub/main/reports/rancher.openvex.json" \ + -o rancher.openvex.json - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 with: scan-type: 'fs' ignore-unfixed: true @@ -30,6 +33,6 @@ jobs: TRIVY_SHOW_SUPPRESSED: true - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@ebcb5b36ded6beda4ceefea6a8bc4cc885255bb3 # v3 + uses: github/codeql-action/upload-sarif@ebcb5b36ded6beda4ceefea6a8bc4cc885255bb3 # v3.34.1 with: - sarif_file: 'trivy-results.sarif' + sarif_file: 'trivy-results.sarif' \ No newline at end of file