From 67cd136ac011962d82ecb4dd4268771836fbcb9a Mon Sep 17 00:00:00 2001 From: George Taylor Date: Fri, 31 May 2024 10:16:02 +0100 Subject: [PATCH] fix ansible image (#312) * refactor: Improve installation process for session manager plugin in Dockerfile * trivy scan * Add .trivyignore file for filtering Trivy scans --- .github/workflows/ansible-aws-image-build.yml | 8 ++++++-- docker/delius-ansible-aws/.trivyignore | 1 + 2 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 docker/delius-ansible-aws/.trivyignore diff --git a/.github/workflows/ansible-aws-image-build.yml b/.github/workflows/ansible-aws-image-build.yml index 52cf50fa..a7e59e6d 100644 --- a/.github/workflows/ansible-aws-image-build.yml +++ b/.github/workflows/ansible-aws-image-build.yml @@ -78,12 +78,16 @@ jobs: docker load --input /tmp/ansible-aws-image.tar - name: Trivy scan - uses: aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 + uses: aquasecurity/trivy-action@b2933f565dbc598b29947660e66259e3c7bc8561 with: format: 'sarif' - severity: 'MEDIUM,HIGH,CRITICAL' + severity: 'CRITICAL,HIGH' + limit-severities-for-sarif: 'true' image-ref: 'hmpps-delius-operational-automation:${{ github.sha }}' exit-code: '1' + scan-type: 'image' + trivyignores: '.trivyignore' + ignore-unfixed: 'true' output: 'trivy-results.sarif' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 diff --git a/docker/delius-ansible-aws/.trivyignore b/docker/delius-ansible-aws/.trivyignore new file mode 100644 index 00000000..0e8a9578 --- /dev/null +++ b/docker/delius-ansible-aws/.trivyignore @@ -0,0 +1 @@ +# Trivy Ignore file https://aquasecurity.github.io/trivy/v0.51/docs/configuration/filtering/