feat: trivy workloflow

honestbank · Nov 4, 2024 · c03e17d · c03e17d
1 parent 8fd0c1a
commit c03e17d
Show file tree

Hide file tree

Showing 3 changed files with 48 additions and 1 deletion.
diff --git a/.github/workflows/repository-trivy.yaml b/.github/workflows/repository-trivy.yaml
@@ -0,0 +1,28 @@
+# yamllint disable rule:line-length
+# Use template from https://github.com/honestbank/workflows/tree/main/examples/repository-workflows
+---
+name: "repository-trivy"
+permissions:
+  contents: read
+
+on:  # yamllint disable-line rule:truthy
+  pull_request:
+    branches:
+      - test
+      - dev
+      - qa
+      - prod
+      - main
+  push:
+    branches:
+      - test
+      - dev
+      - qa
+      - prod
+      - main
+
+jobs:
+  repository-checkov:
+    name: repository-trivy
+    uses: honestbank/workflows/.github/workflows/shared-repository-trivy.yaml@bibek/devop-5320-create-trivy-shared-workflow
+    secrets: inherit
diff --git a/README.md b/README.md
@@ -50,7 +50,7 @@ role in the shared VPC host project.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_random"></a> [random](#provider\_random) | 3.6.2 |
+| <a name="provider_random"></a> [random](#provider\_random) | n/a |
 
 ## Modules
 

diff --git a/trivy.yaml b/trivy.yaml
@@ -0,0 +1,19 @@
+scan:
+  skip-dirs:
+    - test
+    - .terraform
+
+  misconfiguration:
+    exclude-downloaded-modules: true   # Exclude third-party downloaded modules from scanning
+
+# Specify the ignore file for ignored checks or vulnerabilities
+ignoreFile: .trivyignore
+
+# Define the severities to focus on (UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL)
+severity:
+  - HIGH
+  - CRITICAL
+  - MEDIUM
+
+# Exit with code 1 if vulnerabilities or misconfigurations are found default to 0
+exit-code: 1