mirror of
https://github.com/gravitational/teleport
synced 2024-10-19 00:33:50 +00:00
Add a GitHub Workflow for the Trivy security scanner (#23084)
* Add a GitHub Workflow for the Trivy security scanner * Add initial ignore statements for Trivy This accepts all the current latent findings in the repository, while still enabling Trivy to flag new findings.
This commit is contained in:
parent
64b10f1ccb
commit
5d82604d58
17
.github/workflows/trivy.yaml
vendored
Normal file
17
.github/workflows/trivy.yaml
vendored
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
name: Trivy
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
branches:
|
||||||
|
- master
|
||||||
|
- branch/*
|
||||||
|
pull_request:
|
||||||
|
merge_group:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
trivy:
|
||||||
|
uses: gravitational/shared-workflows/.github/workflows/trivy.yaml@main
|
||||||
|
permissions:
|
||||||
|
actions: read
|
||||||
|
contents: read
|
||||||
|
security-events: write
|
23
.trivyignore
Normal file
23
.trivyignore
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
# Dockerfiles and Kubernetes YAMLs don't support inline ignores with Trivy, so
|
||||||
|
# we have to set a global ignore for these for now.
|
||||||
|
AVD-DS-0002
|
||||||
|
AVD-KSV-0109
|
||||||
|
AVD-KSV-0110
|
||||||
|
DS001
|
||||||
|
DS013
|
||||||
|
DS026
|
||||||
|
KSV001
|
||||||
|
KSV003
|
||||||
|
KSV009
|
||||||
|
KSV011
|
||||||
|
KSV012
|
||||||
|
KSV013
|
||||||
|
KSV014
|
||||||
|
KSV015
|
||||||
|
KSV016
|
||||||
|
KSV018
|
||||||
|
KSV020
|
||||||
|
KSV021
|
||||||
|
KSV030
|
||||||
|
KSV047
|
||||||
|
KSV106
|
|
@ -14,6 +14,12 @@ data "google_compute_network" "default" {
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
#trivy:ignore:AVD-GCP-0047
|
||||||
|
#trivy:ignore:AVD-GCP-0049
|
||||||
|
#trivy:ignore:AVD-GCP-0051
|
||||||
|
#trivy:ignore:AVD-GCP-0056
|
||||||
|
#trivy:ignore:AVD-GCP-0059
|
||||||
|
#trivy:ignore:AVD-GCP-0061
|
||||||
resource "google_container_cluster" "loadtest" {
|
resource "google_container_cluster" "loadtest" {
|
||||||
name = var.cluster_name
|
name = var.cluster_name
|
||||||
location = var.region
|
location = var.region
|
||||||
|
@ -25,6 +31,13 @@ resource "google_container_cluster" "loadtest" {
|
||||||
initial_node_count = 1
|
initial_node_count = 1
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#trivy:ignore:AVD-GCP-0048
|
||||||
|
#trivy:ignore:AVD-GCP-0049
|
||||||
|
#trivy:ignore:AVD-GCP-0050
|
||||||
|
#trivy:ignore:AVD-GCP-0054
|
||||||
|
#trivy:ignore:AVD-GCP-0057
|
||||||
|
#trivy:ignore:AVD-GCP-0058
|
||||||
|
#trivy:ignore:AVD-GCP-0063
|
||||||
resource "google_container_node_pool" "loadtest" {
|
resource "google_container_node_pool" "loadtest" {
|
||||||
name = var.cluster_name
|
name = var.cluster_name
|
||||||
cluster = google_container_cluster.loadtest.name
|
cluster = google_container_cluster.loadtest.name
|
||||||
|
|
Loading…
Reference in a new issue