diff --git a/.github/workflows/license_scan.yml b/.github/workflows/license_scan.yml index fff50cc76..6e7cb7b7b 100644 --- a/.github/workflows/license_scan.yml +++ b/.github/workflows/license_scan.yml @@ -10,32 +10,34 @@ jobs: timeout-minutes: 30 steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run license scanner - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@0.24.0 with: scan-type: "rootfs" scan-ref: "." scanners: "license" severity: "CRITICAL,HIGH" exit-code: 1 + github-pat: ${{ secrets.GITHUB_TOKEN }} license_scan2: name: License scan (repo) runs-on: ubuntu-latest timeout-minutes: 30 steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: npm install (typescript-client) run: cd extensions/wrapper/clients/typescript-client && npm clean-install - name: npm install (typescript-client-example) run: cd extensions/wrapper/clients/typescript-client-example && npm clean-install - name: Run license scanner - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@0.24.0 with: scan-type: "repo" scan-ref: "." scanners: "license" severity: "CRITICAL,HIGH" exit-code: 1 + github-pat: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/secret_scan.yml b/.github/workflows/secret_scan.yml index 613fc5682..a06413b54 100644 --- a/.github/workflows/secret_scan.yml +++ b/.github/workflows/secret_scan.yml @@ -17,9 +17,10 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - name: Run vulnerability scanner - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@0.24.0 with: scan-type: "fs" exit-code: "1" ignore-unfixed: true scanners: secret + github-pat: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/security_scan.yml b/.github/workflows/security_scan.yml index 6a5076180..3df11ce8d 100644 --- a/.github/workflows/security_scan.yml +++ b/.github/workflows/security_scan.yml @@ -12,7 +12,7 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - name: Run static analysis (rootfs) - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@0.24.0 with: scan-type: "rootfs" scanners: "vuln,misconfig" @@ -20,6 +20,7 @@ jobs: format: "sarif" output: "trivy-results-rootfs.sarif" severity: "CRITICAL,HIGH" + github-pat: ${{ secrets.GITHUB_TOKEN }} security_scan_repo: name: security_scan_repo runs-on: ubuntu-latest @@ -27,7 +28,7 @@ jobs: - name: Checkout code uses: actions/checkout@v4 - name: Run static analysis (repo) - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@0.24.0 with: scan-type: "repo" scanners: "vuln,misconfig" @@ -35,6 +36,7 @@ jobs: format: "sarif" output: "trivy-results-repo.sarif" severity: "CRITICAL,HIGH" + github-pat: ${{ secrets.GITHUB_TOKEN }} - name: Upload Trivy scan results to GitHub Security tab (repo) uses: github/codeql-action/upload-sarif@v2 continue-on-error: true diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 1a415400c..85c4b8d10 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -12,10 +12,10 @@ jobs: timeout-minutes: 30 steps: - name: Checkout code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Run static analysis - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@0.24.0 with: scan-type: 'fs' security-checks: 'vuln,secret,config' @@ -23,6 +23,7 @@ jobs: format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL' + github-pat: ${{ secrets.GITHUB_TOKEN }} - name: Upload Trivy scan results to GitHub Security tab