From 1faab6c7475afa89517a1ccec683be3fdb9677b0 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Sep 2025 15:02:12 +0000 Subject: [PATCH 1/3] Bump aquasecurity/trivy-action from 0.32.0 to 0.33.1 Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.32.0 to 0.33.1. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](https://github.com/aquasecurity/trivy-action/compare/0.32.0...0.33.1) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-version: 0.33.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/trivy-pr-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy-pr-scan.yml b/.github/workflows/trivy-pr-scan.yml index 57fa942..b64475c 100644 --- a/.github/workflows/trivy-pr-scan.yml +++ b/.github/workflows/trivy-pr-scan.yml @@ -40,7 +40,7 @@ jobs: # We will not be concerned with Medium and Low vulnerabilities - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.32.0 + uses: aquasecurity/trivy-action@0.33.1 with: image-ref: '${{ github.repository }}:vuln-test' format: 'sarif' From 75899192273e3c36248695648191114a29287fa9 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 4 Sep 2025 15:06:05 +0000 Subject: [PATCH 2/3] Bump actions/setup-python from 5 to 6 Bumps [actions/setup-python](https://github.com/actions/setup-python) from 5 to 6. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/v5...v6) --- updated-dependencies: - dependency-name: actions/setup-python dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/build-project-tycho.yml | 2 +- .github/workflows/code-checks.yml | 2 +- .github/workflows/pypi-dev-upload.yml | 2 +- .github/workflows/pypi-upload.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-project-tycho.yml b/.github/workflows/build-project-tycho.yml index ee77a7e..d0f2464 100644 --- a/.github/workflows/build-project-tycho.yml +++ b/.github/workflows/build-project-tycho.yml @@ -8,7 +8,7 @@ jobs: steps: - uses: actions/checkout@v5 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: # using the latest minor release of python here. # ref: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python diff --git a/.github/workflows/code-checks.yml b/.github/workflows/code-checks.yml index 9735df4..15ef937 100644 --- a/.github/workflows/code-checks.yml +++ b/.github/workflows/code-checks.yml @@ -26,7 +26,7 @@ jobs: - uses: actions/checkout@v5 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: '3.9' diff --git a/.github/workflows/pypi-dev-upload.yml b/.github/workflows/pypi-dev-upload.yml index 2957a43..8aead45 100644 --- a/.github/workflows/pypi-dev-upload.yml +++ b/.github/workflows/pypi-dev-upload.yml @@ -10,7 +10,7 @@ jobs: steps: - uses: actions/checkout@v5 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: '3.x' - name: Install Package Dependencies diff --git a/.github/workflows/pypi-upload.yml b/.github/workflows/pypi-upload.yml index fd16418..ee3c7e2 100644 --- a/.github/workflows/pypi-upload.yml +++ b/.github/workflows/pypi-upload.yml @@ -8,7 +8,7 @@ jobs: steps: - uses: actions/checkout@v5 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@v6 with: python-version: '3.x' - name: Install Package Dependencies From 8cd6a7e29126e4ee66a7d2fd939768e4e840079f Mon Sep 17 00:00:00 2001 From: Joshua Seals <117867292+joshua-seals@users.noreply.github.com> Date: Tue, 16 Sep 2025 14:59:41 -0400 Subject: [PATCH 3/3] Update trivy-pr-scan.yml --- .github/workflows/trivy-pr-scan.yml | 31 ++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/.github/workflows/trivy-pr-scan.yml b/.github/workflows/trivy-pr-scan.yml index b64475c..13970c3 100644 --- a/.github/workflows/trivy-pr-scan.yml +++ b/.github/workflows/trivy-pr-scan.yml @@ -8,10 +8,35 @@ concurrency: cancel-in-progress: true jobs: - trivy-pr-scan: + trivy-filesystem-pr-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v5 + + # We will not be concerned with Medium and Low vulnerabilities + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.33.1 + with: + scan-type: 'fs' + format: 'sarif' + severity: 'CRITICAL,HIGH' + output: 'trivy-results-fs.sarif' + exit-code: '1' + # Scan results should be viewable in GitHub Security Dashboard + # We still fail the job if results are found, so below will always run + # unless manually canceled. + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: '!cancelled()' + with: + sarif_file: 'trivy-results-fs.sarif' + + trivy-image-pr-scan: + runs-on: ubuntu-latest + # Because the filesystem job will fail, we still run image scan to get the full picture + if: ${{ always() }} + steps: + - uses: actions/checkout@v5 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -45,7 +70,7 @@ jobs: image-ref: '${{ github.repository }}:vuln-test' format: 'sarif' severity: 'CRITICAL,HIGH' - output: 'trivy-results.sarif' + output: 'trivy-results-img.sarif' exit-code: '1' # Scan results should be viewable in GitHub Security Dashboard # We still fail the job if results are found, so below will always run @@ -54,4 +79,4 @@ jobs: uses: github/codeql-action/upload-sarif@v3 if: '!cancelled()' with: - sarif_file: 'trivy-results.sarif' + sarif_file: 'trivy-results-img.sarif'