Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Aqua workflow with trivy-db fix #20

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update Aqua workflow with trivy-db fix #20

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
40 changes: 30 additions & 10 deletions .github/workflows/aqua.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,30 +1,50 @@
name: Aqua

on:
pull_request:
branches:
- main
- develop

jobs:
aqua:
name: Aqua scanner
runs-on: ubuntu-22.04
name: Code scanning
runs-on: ubuntu-24.04

permissions:
contents: read
id-token: write

steps:
- name: Checkout code
uses: actions/checkout@v4
with:
show-progress: false

- name: Authenticate to Google Cloud
id: gcloud-auth
uses: google-github-actions/auth@v2
with:
token_format: access_token
workload_identity_provider: projects/699052769907/locations/global/workloadIdentityPools/github-identity-pool-shared/providers/github-identity-provider-shared # yamllint disable-line
service_account: github-gar-almasyliuspaymentpl@lyrical-carver-335213.iam.gserviceaccount.com

- name: Authenticate to Artifact Registry
uses: docker/login-action@v3
with:
registry: europe-docker.pkg.dev
username: oauth2accesstoken
password: ${{ steps.gcloud-auth.outputs.access_token }}

- name: Run Aqua scanner
uses: docker://aquasec/aqua-scanner
with:
args: trivy fs --sast --reachability --scanners misconfig,vuln,secret .
# To customize which severities add the following flag: --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
# To enable SAST scanning, add: --sast
# To enable reachability scanning, add: --reachability
# To enable npm/dotnet non-lock file scanning, add: --package-json / --dotnet-proj
env:
AQUA_KEY: ${{ secrets.AQUA_KEY }}
AQUA_SECRET: ${{ secrets.AQUA_SECRET }}
GITHUB_TOKEN: ${{ github.token }}
AQUA_URL: https://api.eu-1.supply-chain.cloud.aquasec.com
CSPM_URL: https://eu-1.api.cloudsploit.com
TRIVY_RUN_AS_PLUGIN: "aqua"
# For http/https proxy configuration add env vars: HTTP_PROXY/HTTPS_PROXY, CA-CRET (path to CA certificate)
TRIVY_RUN_AS_PLUGIN: aqua
TRIVY_DB_REPOSITORY: europe-docker.pkg.dev/lyrical-carver-335213/ghcr-remote-cache/aquasecurity/trivy-db:2
with:
args: trivy fs --sast --reachability --scanners misconfig,vuln,secret .