From 192a077047e75916d44360c9cac027fb47b523aa Mon Sep 17 00:00:00 2001 From: SG Date: Wed, 21 Jun 2023 14:48:18 -0600 Subject: [PATCH] experimenting with trivy scan --- .github/workflows/api-build-and-push-ghcr.yml | 13 +++++++++++++ .github/workflows/arkime-build-and-push-ghcr.yml | 13 +++++++++++++ .../workflows/dashboards-build-and-push-ghcr.yml | 13 +++++++++++++ .../dashboards-helper-build-and-push-ghcr.yml | 13 +++++++++++++ .../workflows/dirinit-build-and-push-ghcr.yml | 13 +++++++++++++ .../file-monitor-build-and-push-ghcr.yml | 13 +++++++++++++ .../file-upload-build-and-push-ghcr.yml | 13 +++++++++++++ .../workflows/filebeat-build-and-push-ghcr.yml | 13 +++++++++++++ .github/workflows/freq-build-and-push-ghcr.yml | 13 +++++++++++++ .../workflows/htadmin-build-and-push-ghcr.yml | 13 +++++++++++++ .../workflows/logstash-build-and-push-ghcr.yml | 13 +++++++++++++ .../malcolm-iso-build-docker-wrap-push-ghcr.yml | 15 ++++++++++++++- .github/workflows/netbox-build-and-push-ghcr.yml | 13 +++++++++++++ .github/workflows/nginx-build-and-push-ghcr.yml | 13 +++++++++++++ .../workflows/opensearch-build-and-push-ghcr.yml | 13 +++++++++++++ .../pcap-capture-build-and-push-ghcr.yml | 13 +++++++++++++ .../pcap-monitor-build-and-push-ghcr.yml | 13 +++++++++++++ .../workflows/postgresql-build-and-push-ghcr.yml | 13 +++++++++++++ .github/workflows/redis-build-and-push-ghcr.yml | 13 +++++++++++++ .../sensor-iso-build-docker-wrap-push-ghcr.yml | 16 ++++++++++++++-- .../workflows/suricata-build-and-push-ghcr.yml | 13 +++++++++++++ .github/workflows/zeek-build-and-push-ghcr.yml | 13 +++++++++++++ 22 files changed, 288 insertions(+), 3 deletions(-) diff --git a/.github/workflows/api-build-and-push-ghcr.yml b/.github/workflows/api-build-and-push-ghcr.yml index 5cfd3ead3..09d8e6419 100644 --- a/.github/workflows/api-build-and-push-ghcr.yml +++ b/.github/workflows/api-build-and-push-ghcr.yml @@ -66,3 +66,16 @@ jobs: file: ./Dockerfiles/api.Dockerfile push: true tags: ghcr.io/${{ github.repository_owner }}/malcolm/api:${{ steps.extract_branch.outputs.branch }} + - + name: Run Trivy vulnerability scanner + id: trivy-scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'image' + image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/api:${{ steps.extract_branch.outputs.branch }} + format: 'table' + severity: 'HIGH,CRITICAL' + vuln-type: 'os,library' + hide-progress: true + ignore-unfixed: true + exit-code: '0' diff --git a/.github/workflows/arkime-build-and-push-ghcr.yml b/.github/workflows/arkime-build-and-push-ghcr.yml index 2effb3957..a8af729a7 100644 --- a/.github/workflows/arkime-build-and-push-ghcr.yml +++ b/.github/workflows/arkime-build-and-push-ghcr.yml @@ -68,3 +68,16 @@ jobs: MAXMIND_GEOIP_DB_LICENSE_KEY=${{ secrets.MAXMIND_GEOIP_DB_LICENSE_KEY }} push: true tags: ghcr.io/${{ github.repository_owner }}/malcolm/arkime:${{ steps.extract_branch.outputs.branch }} + - + name: Run Trivy vulnerability scanner + id: trivy-scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'image' + image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/arkime:${{ steps.extract_branch.outputs.branch }} + format: 'table' + severity: 'HIGH,CRITICAL' + vuln-type: 'os,library' + hide-progress: true + ignore-unfixed: true + exit-code: '0' diff --git a/.github/workflows/dashboards-build-and-push-ghcr.yml b/.github/workflows/dashboards-build-and-push-ghcr.yml index 1c0ab778c..819eff88e 100644 --- a/.github/workflows/dashboards-build-and-push-ghcr.yml +++ b/.github/workflows/dashboards-build-and-push-ghcr.yml @@ -66,3 +66,16 @@ jobs: file: ./Dockerfiles/dashboards.Dockerfile push: true tags: ghcr.io/${{ github.repository_owner }}/malcolm/dashboards:${{ steps.extract_branch.outputs.branch }} + - + name: Run Trivy vulnerability scanner + id: trivy-scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'image' + image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/dashboards:${{ steps.extract_branch.outputs.branch }} + format: 'table' + severity: 'HIGH,CRITICAL' + vuln-type: 'os,library' + hide-progress: true + ignore-unfixed: true + exit-code: '0' diff --git a/.github/workflows/dashboards-helper-build-and-push-ghcr.yml b/.github/workflows/dashboards-helper-build-and-push-ghcr.yml index fd862543f..776a74c30 100644 --- a/.github/workflows/dashboards-helper-build-and-push-ghcr.yml +++ b/.github/workflows/dashboards-helper-build-and-push-ghcr.yml @@ -66,3 +66,16 @@ jobs: file: ./Dockerfiles/dashboards-helper.Dockerfile push: true tags: ghcr.io/${{ github.repository_owner }}/malcolm/dashboards-helper:${{ steps.extract_branch.outputs.branch }} + - + name: Run Trivy vulnerability scanner + id: trivy-scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'image' + image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/dashboards-helper:${{ steps.extract_branch.outputs.branch }} + format: 'table' + severity: 'HIGH,CRITICAL' + vuln-type: 'os,library' + hide-progress: true + ignore-unfixed: true + exit-code: '0' diff --git a/.github/workflows/dirinit-build-and-push-ghcr.yml b/.github/workflows/dirinit-build-and-push-ghcr.yml index ffaa2d096..6a1c60053 100644 --- a/.github/workflows/dirinit-build-and-push-ghcr.yml +++ b/.github/workflows/dirinit-build-and-push-ghcr.yml @@ -59,3 +59,16 @@ jobs: file: ./Dockerfiles/dirinit.Dockerfile push: true tags: ghcr.io/${{ github.repository_owner }}/malcolm/dirinit:${{ steps.extract_branch.outputs.branch }} + - + name: Run Trivy vulnerability scanner + id: trivy-scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'image' + image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/dirinit:${{ steps.extract_branch.outputs.branch }} + format: 'table' + severity: 'HIGH,CRITICAL' + vuln-type: 'os,library' + hide-progress: true + ignore-unfixed: true + exit-code: '0' diff --git a/.github/workflows/file-monitor-build-and-push-ghcr.yml b/.github/workflows/file-monitor-build-and-push-ghcr.yml index fbb6bbbfd..85a9e4d2f 100644 --- a/.github/workflows/file-monitor-build-and-push-ghcr.yml +++ b/.github/workflows/file-monitor-build-and-push-ghcr.yml @@ -66,3 +66,16 @@ jobs: file: ./Dockerfiles/file-monitor.Dockerfile push: true tags: ghcr.io/${{ github.repository_owner }}/malcolm/file-monitor:${{ steps.extract_branch.outputs.branch }} + - + name: Run Trivy vulnerability scanner + id: trivy-scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'image' + image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/file-monitor:${{ steps.extract_branch.outputs.branch }} + format: 'table' + severity: 'HIGH,CRITICAL' + vuln-type: 'os,library' + hide-progress: true + ignore-unfixed: true + exit-code: '0' diff --git a/.github/workflows/file-upload-build-and-push-ghcr.yml b/.github/workflows/file-upload-build-and-push-ghcr.yml index b49ae4bea..48e12a2d9 100644 --- a/.github/workflows/file-upload-build-and-push-ghcr.yml +++ b/.github/workflows/file-upload-build-and-push-ghcr.yml @@ -66,3 +66,16 @@ jobs: file: ./Dockerfiles/file-upload.Dockerfile push: true tags: ghcr.io/${{ github.repository_owner }}/malcolm/file-upload:${{ steps.extract_branch.outputs.branch }} + - + name: Run Trivy vulnerability scanner + id: trivy-scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'image' + image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/file-upload:${{ steps.extract_branch.outputs.branch }} + format: 'table' + severity: 'HIGH,CRITICAL' + vuln-type: 'os,library' + hide-progress: true + ignore-unfixed: true + exit-code: '0' diff --git a/.github/workflows/filebeat-build-and-push-ghcr.yml b/.github/workflows/filebeat-build-and-push-ghcr.yml index 10be9650e..ae498b80f 100644 --- a/.github/workflows/filebeat-build-and-push-ghcr.yml +++ b/.github/workflows/filebeat-build-and-push-ghcr.yml @@ -66,3 +66,16 @@ jobs: file: ./Dockerfiles/filebeat.Dockerfile push: true tags: ghcr.io/${{ github.repository_owner }}/malcolm/filebeat-oss:${{ steps.extract_branch.outputs.branch }} + - + name: Run Trivy vulnerability scanner + id: trivy-scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'image' + image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/filebeat-oss:${{ steps.extract_branch.outputs.branch }} + format: 'table' + severity: 'HIGH,CRITICAL' + vuln-type: 'os,library' + hide-progress: true + ignore-unfixed: true + exit-code: '0' diff --git a/.github/workflows/freq-build-and-push-ghcr.yml b/.github/workflows/freq-build-and-push-ghcr.yml index d27e67429..f1180f822 100644 --- a/.github/workflows/freq-build-and-push-ghcr.yml +++ b/.github/workflows/freq-build-and-push-ghcr.yml @@ -66,3 +66,16 @@ jobs: file: ./Dockerfiles/freq.Dockerfile push: true tags: ghcr.io/${{ github.repository_owner }}/malcolm/freq:${{ steps.extract_branch.outputs.branch }} + - + name: Run Trivy vulnerability scanner + id: trivy-scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'image' + image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/freq:${{ steps.extract_branch.outputs.branch }} + format: 'table' + severity: 'HIGH,CRITICAL' + vuln-type: 'os,library' + hide-progress: true + ignore-unfixed: true + exit-code: '0' diff --git a/.github/workflows/htadmin-build-and-push-ghcr.yml b/.github/workflows/htadmin-build-and-push-ghcr.yml index 06fbcabac..7f3c1e8a4 100644 --- a/.github/workflows/htadmin-build-and-push-ghcr.yml +++ b/.github/workflows/htadmin-build-and-push-ghcr.yml @@ -66,3 +66,16 @@ jobs: file: ./Dockerfiles/htadmin.Dockerfile push: true tags: ghcr.io/${{ github.repository_owner }}/malcolm/htadmin:${{ steps.extract_branch.outputs.branch }} + - + name: Run Trivy vulnerability scanner + id: trivy-scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'image' + image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/htadmin:${{ steps.extract_branch.outputs.branch }} + format: 'table' + severity: 'HIGH,CRITICAL' + vuln-type: 'os,library' + hide-progress: true + ignore-unfixed: true + exit-code: '0' diff --git a/.github/workflows/logstash-build-and-push-ghcr.yml b/.github/workflows/logstash-build-and-push-ghcr.yml index 997d18d2f..5eeaa96f0 100644 --- a/.github/workflows/logstash-build-and-push-ghcr.yml +++ b/.github/workflows/logstash-build-and-push-ghcr.yml @@ -66,3 +66,16 @@ jobs: file: ./Dockerfiles/logstash.Dockerfile push: true tags: ghcr.io/${{ github.repository_owner }}/malcolm/logstash-oss:${{ steps.extract_branch.outputs.branch }} + - + name: Run Trivy vulnerability scanner + id: trivy-scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'image' + image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/logstash-oss:${{ steps.extract_branch.outputs.branch }} + format: 'table' + severity: 'HIGH,CRITICAL' + vuln-type: 'os,library' + hide-progress: true + ignore-unfixed: true + exit-code: '0' diff --git a/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml b/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml index 80aef51ce..a24a020d9 100644 --- a/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml +++ b/.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml @@ -113,6 +113,19 @@ jobs: rm -rf ./shared/ sudo chmod 644 ./malcolm-*.* popd + - + name: Run Trivy vulnerability scanner + id: trivy-scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: './malcolm-iso' + format: 'table' + severity: 'HIGH,CRITICAL' + vuln-type: 'os,library' + hide-progress: true + ignore-unfixed: true + exit-code: '0' - name: ghcr.io login uses: docker/login-action@v2 @@ -126,4 +139,4 @@ jobs: with: context: ./malcolm-iso push: true - tags: ghcr.io/${{ github.repository_owner }}/malcolm/malcolm:${{ steps.extract_branch.outputs.branch }} \ No newline at end of file + tags: ghcr.io/${{ github.repository_owner }}/malcolm/malcolm:${{ steps.extract_branch.outputs.branch }} diff --git a/.github/workflows/netbox-build-and-push-ghcr.yml b/.github/workflows/netbox-build-and-push-ghcr.yml index 2693f9323..24ef87ee7 100644 --- a/.github/workflows/netbox-build-and-push-ghcr.yml +++ b/.github/workflows/netbox-build-and-push-ghcr.yml @@ -66,3 +66,16 @@ jobs: file: ./Dockerfiles/netbox.Dockerfile push: true tags: ghcr.io/${{ github.repository_owner }}/malcolm/netbox:${{ steps.extract_branch.outputs.branch }} + - + name: Run Trivy vulnerability scanner + id: trivy-scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'image' + image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/netbox:${{ steps.extract_branch.outputs.branch }} + format: 'table' + severity: 'HIGH,CRITICAL' + vuln-type: 'os,library' + hide-progress: true + ignore-unfixed: true + exit-code: '0' diff --git a/.github/workflows/nginx-build-and-push-ghcr.yml b/.github/workflows/nginx-build-and-push-ghcr.yml index b89a4d859..f90840cab 100644 --- a/.github/workflows/nginx-build-and-push-ghcr.yml +++ b/.github/workflows/nginx-build-and-push-ghcr.yml @@ -81,3 +81,16 @@ jobs: GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} push: true tags: ghcr.io/${{ github.repository_owner }}/malcolm/nginx-proxy:${{ steps.extract_branch.outputs.branch }} + - + name: Run Trivy vulnerability scanner + id: trivy-scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'image' + image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/nginx-proxy:${{ steps.extract_branch.outputs.branch }} + format: 'table' + severity: 'HIGH,CRITICAL' + vuln-type: 'os,library' + hide-progress: true + ignore-unfixed: true + exit-code: '0' diff --git a/.github/workflows/opensearch-build-and-push-ghcr.yml b/.github/workflows/opensearch-build-and-push-ghcr.yml index 08f5967fd..6e98ae931 100644 --- a/.github/workflows/opensearch-build-and-push-ghcr.yml +++ b/.github/workflows/opensearch-build-and-push-ghcr.yml @@ -65,3 +65,16 @@ jobs: file: ./Dockerfiles/opensearch.Dockerfile push: true tags: ghcr.io/${{ github.repository_owner }}/malcolm/opensearch:${{ steps.extract_branch.outputs.branch }} + - + name: Run Trivy vulnerability scanner + id: trivy-scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'image' + image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/opensearch:${{ steps.extract_branch.outputs.branch }} + format: 'table' + severity: 'HIGH,CRITICAL' + vuln-type: 'os,library' + hide-progress: true + ignore-unfixed: true + exit-code: '0' diff --git a/.github/workflows/pcap-capture-build-and-push-ghcr.yml b/.github/workflows/pcap-capture-build-and-push-ghcr.yml index f3a224290..6d380dbbe 100644 --- a/.github/workflows/pcap-capture-build-and-push-ghcr.yml +++ b/.github/workflows/pcap-capture-build-and-push-ghcr.yml @@ -66,3 +66,16 @@ jobs: file: ./Dockerfiles/pcap-capture.Dockerfile push: true tags: ghcr.io/${{ github.repository_owner }}/malcolm/pcap-capture:${{ steps.extract_branch.outputs.branch }} + - + name: Run Trivy vulnerability scanner + id: trivy-scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'image' + image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/pcap-capture:${{ steps.extract_branch.outputs.branch }} + format: 'table' + severity: 'HIGH,CRITICAL' + vuln-type: 'os,library' + hide-progress: true + ignore-unfixed: true + exit-code: '0' diff --git a/.github/workflows/pcap-monitor-build-and-push-ghcr.yml b/.github/workflows/pcap-monitor-build-and-push-ghcr.yml index eab99d9d1..919cf87d5 100644 --- a/.github/workflows/pcap-monitor-build-and-push-ghcr.yml +++ b/.github/workflows/pcap-monitor-build-and-push-ghcr.yml @@ -66,3 +66,16 @@ jobs: file: ./Dockerfiles/pcap-monitor.Dockerfile push: true tags: ghcr.io/${{ github.repository_owner }}/malcolm/pcap-monitor:${{ steps.extract_branch.outputs.branch }} + - + name: Run Trivy vulnerability scanner + id: trivy-scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'image' + image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/pcap-monitor:${{ steps.extract_branch.outputs.branch }} + format: 'table' + severity: 'HIGH,CRITICAL' + vuln-type: 'os,library' + hide-progress: true + ignore-unfixed: true + exit-code: '0' diff --git a/.github/workflows/postgresql-build-and-push-ghcr.yml b/.github/workflows/postgresql-build-and-push-ghcr.yml index e916b4360..e17e66639 100644 --- a/.github/workflows/postgresql-build-and-push-ghcr.yml +++ b/.github/workflows/postgresql-build-and-push-ghcr.yml @@ -65,3 +65,16 @@ jobs: file: ./Dockerfiles/postgresql.Dockerfile push: true tags: ghcr.io/${{ github.repository_owner }}/malcolm/postgresql:${{ steps.extract_branch.outputs.branch }} + - + name: Run Trivy vulnerability scanner + id: trivy-scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'image' + image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/postgresql:${{ steps.extract_branch.outputs.branch }} + format: 'table' + severity: 'HIGH,CRITICAL' + vuln-type: 'os,library' + hide-progress: true + ignore-unfixed: true + exit-code: '0' diff --git a/.github/workflows/redis-build-and-push-ghcr.yml b/.github/workflows/redis-build-and-push-ghcr.yml index c36708dcf..73006665a 100644 --- a/.github/workflows/redis-build-and-push-ghcr.yml +++ b/.github/workflows/redis-build-and-push-ghcr.yml @@ -65,3 +65,16 @@ jobs: file: ./Dockerfiles/redis.Dockerfile push: true tags: ghcr.io/${{ github.repository_owner }}/malcolm/redis:${{ steps.extract_branch.outputs.branch }} + - + name: Run Trivy vulnerability scanner + id: trivy-scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'image' + image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/redis:${{ steps.extract_branch.outputs.branch }} + format: 'table' + severity: 'HIGH,CRITICAL' + vuln-type: 'os,library' + hide-progress: true + ignore-unfixed: true + exit-code: '0' diff --git a/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml b/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml index af40ba3f8..29e233565 100644 --- a/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml +++ b/.github/workflows/sensor-iso-build-docker-wrap-push-ghcr.yml @@ -103,7 +103,19 @@ jobs: rm -rf ./shared/ ./docs/ ./_config.yml ./_includes ./_layouts /Gemfile ./README.md sudo chmod 644 ./hedgehog-*.* popd - + - + name: Run Trivy vulnerability scanner + id: trivy-scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + scan-ref: './sensor-iso' + format: 'table' + severity: 'HIGH,CRITICAL' + vuln-type: 'os,library' + hide-progress: true + ignore-unfixed: true + exit-code: '0' - name: ghcr.io login uses: docker/login-action@v2 @@ -117,4 +129,4 @@ jobs: with: context: ./sensor-iso push: true - tags: ghcr.io/${{ github.repository_owner }}/malcolm/hedgehog:${{ steps.extract_branch.outputs.branch }} \ No newline at end of file + tags: ghcr.io/${{ github.repository_owner }}/malcolm/hedgehog:${{ steps.extract_branch.outputs.branch }} diff --git a/.github/workflows/suricata-build-and-push-ghcr.yml b/.github/workflows/suricata-build-and-push-ghcr.yml index 73af7da1b..2b8887c38 100644 --- a/.github/workflows/suricata-build-and-push-ghcr.yml +++ b/.github/workflows/suricata-build-and-push-ghcr.yml @@ -66,3 +66,16 @@ jobs: file: ./Dockerfiles/suricata.Dockerfile push: true tags: ghcr.io/${{ github.repository_owner }}/malcolm/suricata:${{ steps.extract_branch.outputs.branch }} + - + name: Run Trivy vulnerability scanner + id: trivy-scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'image' + image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/suricata:${{ steps.extract_branch.outputs.branch }} + format: 'table' + severity: 'HIGH,CRITICAL' + vuln-type: 'os,library' + hide-progress: true + ignore-unfixed: true + exit-code: '0' diff --git a/.github/workflows/zeek-build-and-push-ghcr.yml b/.github/workflows/zeek-build-and-push-ghcr.yml index a48fe1e7c..b48e8f246 100644 --- a/.github/workflows/zeek-build-and-push-ghcr.yml +++ b/.github/workflows/zeek-build-and-push-ghcr.yml @@ -65,3 +65,16 @@ jobs: file: ./Dockerfiles/zeek.Dockerfile push: true tags: ghcr.io/${{ github.repository_owner }}/malcolm/zeek:${{ steps.extract_branch.outputs.branch }} + - + name: Run Trivy vulnerability scanner + id: trivy-scan + uses: aquasecurity/trivy-action@master + with: + scan-type: 'image' + image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/zeek:${{ steps.extract_branch.outputs.branch }} + format: 'table' + severity: 'HIGH,CRITICAL' + vuln-type: 'os,library' + hide-progress: true + ignore-unfixed: true + exit-code: '0'