GitHub Actions build does not fail even when trivy reports a security vulnerability.
Trivy.yaml:
name: trivy
on:
push:
branches:
- main
pull_request:
jobs:
build:
name: trivy
runs-on: ubuntu-20.04
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
hide-progress: false
format: 'table'
severity: 'MEDIUM,CRITICAL,HIGH'
exit-code: '1'
trivy-config: trivy_rule.yaml
trivy_rule.yaml:
rules:
- id: rule1
category: general
title: Generic Rule
severity: 'MEDIUM,CRITICAL,HIGH'
keywords:
- secret
regex: (?i)(?P<key>(secret))(=|:).{0,5}['"](?P<secret>[0-9a-zA-Z\-_=]{8,64})['"]
secret-group-name: secret
allow-rules:
- id: skip-text
description: skip text files
path: .*\.txt
disable-allow-rules:
- markdown
enable-builtin-rules:
- aws-access-key-id
- aws-account-id
- aws-secret-access-key
- slack-access-token
- slack-web-hook
- github-oauth
- github-pat
- github-app-token
- github-refresh-token
- atlassian-api-token
- databricks-api-token
- grafana-api-token
- hashicorp-tf-api-token
- new-relic-user-api-key
- new-relic-user-api-id
- new-relic-browser-api-token
- npm-access-token
Output:
Total: 8 (UNKNOWN: 0, LOW: 0, MEDIUM: 8, HIGH: 0, CRITICAL: 0)
MEDIUM: Slack (slack-web-hook)
════════════════════════════════════════
Slack Webhook
────────────────────────────────────────
────────────────────────────────────────
9 locals {
10 # This is the incoming webhook URL used for all platform alerts, by default it sends to #eng-platform-alerts
11 [ slack_platform_hook = "*************************************************************************"
12 }
The build should get failed when a security vulnerability is reported.