trivy instead of anchore.

2025-12-06 00:17:10 +00:00 · 2025-04-24 22:30:07 +02:00 · 2025-04-24 22:30:07 +02:00 · 38af88a0e3
commit 38af88a0e3
parent bd60054066
1 changed files with 20 additions and 18 deletions
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@ -61,18 +61,20 @@ jobs:
          tags: "${{ env.DOCKER_REPO_DEV }}:${{ github.ref_name }}"
          build-args: |
            version=${{ env.version }}
-      - name: Scan image
-        id: scan
-        uses: anchore/scan-action@v6
+
+      - name: Run Trivy vulnerability scan
+        uses: aquasecurity/trivy-action@0.30.0
        with:
-          image: "${{ env.DOCKER_REPO_DEV }}:${{ github.ref_name }}"
-          fail-build: false
-          severity-cutoff: critical
-          output-format: sarif
-      - name: Upload Anchore scan SARIF report
+          image-ref: "${{ env.DOCKER_REPO_DEV }}:${{ github.ref_name }}"
+          format: 'sarif'
+          exit-code: 0
+          severity: 'CRITICAL,HIGH'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan SARIF report
        uses: github/codeql-action/upload-sarif@v3
        with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}
+          sarif_file: 'trivy-results.sarif'

  build:
    runs-on: ubuntu-latest
@ -146,18 +148,18 @@ jobs:
          digest="${{ steps.build.outputs.digest }}"
          touch "${{ runner.temp }}/digests/${digest#sha256:}"

-      - name: Scan image
-        id: scan
-        uses: anchore/scan-action@v6
+      - name: Run Trivy vulnerability scan
+        uses: aquasecurity/trivy-action@0.30.0
        with:
-          image: ${{ env.DOCKERHUB_REPO }}/protonmail-bridge:${{ steps.build.outputs.digest }}
-          fail-build: true
-          severity-cutoff: critical
-          output-format: sarif
-      - name: Upload Anchore scan SARIF report
+          image-ref: "${{ env.DOCKERHUB_REPO }}:${{ env.version }}-build"
+          format: 'sarif'
+          exit-code: 0
+          severity: 'CRITICAL,HIGH'
+          output: 'trivy-results.sarif'
+      - name: Upload Trivy scan SARIF report
        uses: github/codeql-action/upload-sarif@v3
        with:
-          sarif_file: ${{ steps.scan.outputs.sarif }}
+          sarif_file: 'trivy-results.sarif'

      - name: Upload digest
        uses: actions/upload-artifact@v4