Merge branch 'main' into jsjoeio-update-vscode-164

jsjoeio · web-flow · commit 3980b85455e3 · 2022-03-04T16:00:18.000-07:00
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -464,7 +464,6 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v3
       - name: Run Trivy vulnerability scanner in repo mode
-        #Commit SHA for v0.0.17
         uses: aquasecurity/trivy-action@296212627a1e693efa09c00adc3e03b2ba8edf18
         with:
           scan-type: "fs"
diff --git a/.github/workflows/trivy-docker.yaml b/.github/workflows/trivy-docker.yaml
@@ -0,0 +1,65 @@
+name: Trivy Nightly Docker Scan
+
+on:
+  # Run scans if the workflow is modified, in order to test the
+  # workflow itself. This results in some spurious notifications,
+  # but seems okay for testing.
+  pull_request:
+    branches:
+      - main
+    paths:
+      - .github/workflows/trivy-docker.yaml
+
+  # Run scans against master whenever changes are merged.
+  push:
+    branches:
+      - main
+    paths:
+      - .github/workflows/trivy-docker.yaml
+
+  schedule:
+    # Run at 10:15 am UTC (3:15am PT/5:15am CT)
+    # Run at 0 minutes 0 hours of every day.
+    - cron: "15 10 * * *"
+
+  workflow_dispatch:
+
+permissions:
+  actions: none
+  checks: none
+  contents: read
+  deployments: none
+  issues: none
+  packages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+# Cancel in-progress runs for pull requests when developers push
+# additional changes, and serialize builds in branches.
+# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+
+jobs:
+  trivy-scan-image:
+    runs-on: ubuntu-20.04
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner in image mode
+        uses: aquasecurity/trivy-action@296212627a1e693efa09c00adc3e03b2ba8edf18
+        with:
+          image-ref: "docker.io/codercom/code-server:latest"
+          ignore-unfixed: true
+          format: "sarif"
+          output: "trivy-image-results.sarif"
+          severity: "HIGH,CRITICAL"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: "trivy-image-results.sarif"
