From 83f2642d4b86cb295e98f41c326b668d9d5a90ed Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Sun, 6 Jul 2025 15:51:33 +0300 Subject: [PATCH 1/5] Chore(ci) - Fix faulty Trivy option --- .github/workflows/vulnerability-scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index 0e5464a9a..2dfa56d4a 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -25,4 +25,4 @@ jobs: with: token: ${{ secrets.GITHUB_TOKEN }} image: symfony-flex-backend:master - ignore-unfixed: true + ignore_unfixed: true From 3a5c62b7381afcba9fdb8970f684575ed0807687 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Sun, 6 Jul 2025 15:56:07 +0300 Subject: [PATCH 2/5] Chore(ci) - Added `severity` option --- .github/workflows/vulnerability-scan.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index 2dfa56d4a..77f6ff722 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -26,3 +26,4 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} image: symfony-flex-backend:master ignore_unfixed: true + severity: 'CRITICAL,HIGH' From 6fafed31e9df8ef136e1ec6157935f83102db24f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Sun, 6 Jul 2025 16:07:06 +0300 Subject: [PATCH 3/5] Chore(ci) - Try with different action --- .github/workflows/vulnerability-scan.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index 77f6ff722..398c4a84b 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -21,9 +21,11 @@ jobs: run: docker build . --file Dockerfile --tag symfony-flex-backend:master - name: Scan image with Trivy - uses: lazy-actions/gitrivy@v3 + uses: aquasecurity/trivy-action@0.28.0 with: - token: ${{ secrets.GITHUB_TOKEN }} - image: symfony-flex-backend:master - ignore_unfixed: true - severity: 'CRITICAL,HIGH' + image-ref: symfony-flex-backend:master + + #token: ${{ secrets.GITHUB_TOKEN }} + #image: symfony-flex-backend:master + #ignore_unfixed: true + #trivy_version: 'latest' From d72da729a30b81722a29f25aa4386b2c860081ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Sun, 6 Jul 2025 16:11:21 +0300 Subject: [PATCH 4/5] Chore(ci) - Added `ignore-unfixed` option --- .github/workflows/vulnerability-scan.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index 398c4a84b..03fa9dbeb 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -24,6 +24,7 @@ jobs: uses: aquasecurity/trivy-action@0.28.0 with: image-ref: symfony-flex-backend:master + ignore-unfixed: 'true' #token: ${{ secrets.GITHUB_TOKEN }} #image: symfony-flex-backend:master From c11f2880510017ad74f35a6d98e73f5edf03d21f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tarmo=20Lepp=C3=A4nen?= Date: Sun, 6 Jul 2025 16:12:33 +0300 Subject: [PATCH 5/5] Chore(ci) - Added rest of the options --- .github/workflows/vulnerability-scan.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index 03fa9dbeb..618598f02 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -25,8 +25,6 @@ jobs: with: image-ref: symfony-flex-backend:master ignore-unfixed: 'true' - - #token: ${{ secrets.GITHUB_TOKEN }} - #image: symfony-flex-backend:master - #ignore_unfixed: true - #trivy_version: 'latest' + exit-code: '1' + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH'