From 2ec55c60701276c7f38ebbc1bdaf7586ba30971f Mon Sep 17 00:00:00 2001 From: Arunavo Ray Date: Sun, 15 Jun 2025 14:11:45 +0530 Subject: [PATCH] Migrate from Trivy to Docker scout --- .github/workflows/docker-scan.yml | 39 +++++++++++++++---------------- 1 file changed, 19 insertions(+), 20 deletions(-) diff --git a/.github/workflows/docker-scan.yml b/.github/workflows/docker-scan.yml index 0e22b62..c5bb2c0 100644 --- a/.github/workflows/docker-scan.yml +++ b/.github/workflows/docker-scan.yml @@ -22,6 +22,7 @@ permissions: contents: read actions: read security-events: write + pull-requests: write # Required for Docker Scout PR comments jobs: scan: @@ -47,30 +48,28 @@ jobs: # Disable GitHub Actions cache for this workflow no-cache: true - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.28.0 + - name: Docker Scout vulnerability scan + uses: docker/scout-action@v1 with: - image-ref: gitea-mirror:scan - format: 'sarif' - output: 'trivy-results.sarif' - exit-code: '1' - ignore-unfixed: false - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + command: cves + image: gitea-mirror:scan + sarif-file: scout-results.sarif + summary: true + exit-code: true + only-severities: critical,high + write-comment: true - - name: Upload Trivy scan results to GitHub Security tab + - name: Upload Docker Scout scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 if: always() with: - sarif_file: 'trivy-results.sarif' + sarif_file: scout-results.sarif - - name: Run Trivy vulnerability scanner (table output) - uses: aquasecurity/trivy-action@0.28.0 - if: failure() + - name: Docker Scout policy evaluation + uses: docker/scout-action@v1 + if: always() with: - image-ref: gitea-mirror:scan - format: 'table' - exit-code: '0' - ignore-unfixed: false - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + command: policy + image: gitea-mirror:scan + exit-code: false + write-comment: true