velero/.github/workflows/nightly-trivy-scan.yml at 22f93ad457fd10ea7cbe50e7da6a372c075e582e

mirror of https://github.com/vmware-tanzu/velero.git synced 2026-04-17 14:11:11 +00:00

Files

Xun Jiang 91922103b4 Update the trivy-action version from main to specific tag to fix supply chain attack

https://www.aquasec.com/blog/trivy-supply-chain-attack-what-you-need-to-know/

Signed-off-by: Xun Jiang <xun.jiang@broadcom.com>

2026-03-27 16:09:53 +08:00

 name: Trivy Nightly Scan
 on:
   schedule:
     - cron: '0 2 * * *' # run at 2 AM UTC
 jobs:
   nightly-scan:
     name: Trivy nightly scan
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
         # maintain the versions of Velero those need security scan
         versions: [main]
         # list of images that need scan
         images: [velero, velero-plugin-for-aws, velero-plugin-for-gcp, velero-plugin-for-microsoft-azure]
     permissions:
       security-events: write  # for github/codeql-action/upload-sarif to upload SARIF results
     steps:
       - name: Checkout code
         uses: actions/checkout@v6
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
         with:
           image-ref: 'docker.io/velero/${{ matrix.images }}:${{ matrix.versions }}'
           severity: 'CRITICAL,HIGH,MEDIUM'
           format: 'template'
           template: '@/contrib/sarif.tpl'
           output: 'trivy-results.sarif'
       - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: 'trivy-results.sarif'