kubeflow
/
notebooks
mirror of https://github.com/kubeflow/notebooks.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge 847a70b43c into 23d26caa52

This commit is contained in:
Andy Stoneberg 2025-09-18 20:11:31 +00:00 committed by GitHub
parent 23d26caa52 847a70b43c
commit d7b8f4b740
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 57 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
.github/workflows/trivy-fs-scanning.yaml vendored Normal file
View File

@ -0,0 +1,57 @@
name: Trivy FS scanning
on:
schedule:
- cron: '0 6 * * 0' # Every Sunday at 6:00 AM UTC
workflow_dispatch:
inputs:
branch:
description: 'Branch to scan'
required: true
default: 'notebooks-v2'
type: choice
options:
- notebooks-v1
- notebooks-v2
permissions:
actions: read
security-events: write
jobs:
build:
if: github.event_name == 'workflow_dispatch' || ( github.event_name == 'schedule' && github.repository == 'kubeflow/notebooks' )
name: Trivy FS scan
runs-on: ubuntu-latest
strategy:
matrix:
branch: ${{ github.event_name == 'workflow_dispatch' && fromJSON(format('["{0}"]', github.event.inputs.branch)) || fromJSON('["notebooks-v1", "notebooks-v2"]') }}
steps:
- name: Checkout code
id: checkout
uses: actions/checkout@v4
with:
ref: refs/heads/${{ matrix.branch }} # using explicit refs syntax due to requirements of upload-sarif action
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@0.33.1
with:
scan-type: 'fs'
format: 'sarif'
severity: 'CRITICAL,HIGH'
ignore-unfixed: true
output: 'trivy-fs-scan-results-${{ matrix.branch }}.sarif'
- name: Add branch metadata to SARIF
run: |
# Modify ruleId to include branch information for identification
jq '.runs[0].results[] |= (.ruleId = "trivy-fs-${{ matrix.branch }}-" + .ruleId)' \
trivy-fs-scan-results-${{ matrix.branch }}.sarif > trivy-fs-scan-results-${{ matrix.branch }}-processed.sarif
mv trivy-fs-scan-results-${{ matrix.branch }}-processed.sarif trivy-fs-scan-results-${{ matrix.branch }}.sarif
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-fs-scan-results-${{ matrix.branch }}.sarif'
ref: ${{ steps.checkout.outputs.ref }}
sha: ${{ steps.checkout.outputs.commit }}