Enabled Trivy Scan

omers · Dec 9, 2023 · b76841a · b76841a
1 parent bc12141
commit b76841a
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 10 deletions.
diff --git a/.github/workflows/tfsec.yml b/.github/workflows/tfsec.yml
@@ -13,8 +13,8 @@ on:
     - cron: '43 18 * * 2'
 
 jobs:
-  tfsec:
-    name: Run tfsec sarif report
+  Trivy:
+    name: Run Trivy sarif report
     runs-on: ubuntu-latest
     permissions:
       actions: read
@@ -25,13 +25,17 @@ jobs:
       - name: Clone repo
         uses: actions/checkout@v3
 
-      - name: Run tfsec
-        uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f
-        with:
-          sarif_file: tfsec.sarif
-
-      - name: Upload SARIF file
+      - name: Run Trivy vulnerability scanner in IaC mode
+          uses: aquasecurity/trivy-action@master
+          with:
+            scan-type: 'config'
+            hide-progress: false
+            format: 'sarif'
+            output: 'trivy-results.sarif'
+            exit-code: '1'
+            ignore-unfixed: true
+            severity: 'CRITICAL,HIGH'
+      - name: Upload Trivy scan results to GitHub Security tab
         uses: github/codeql-action/upload-sarif@v2
         with:
-          # Path to SARIF file relative to the root of the repository
-          sarif_file: tfsec.sarif
+          sarif_file: 'trivy-results.sarif'
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1 @@
+AVD-AWS-0136