keycloak-scim/.github/workflows/trivy-analysis.yml

name: Trivy

on:
  workflow_dispatch:

defaults:
  run:
    shell: bash

jobs:

  analysis:
    name: Vulnerability scanner for nightly containers
    runs-on: ubuntu-latest
    if: github.repository == 'keycloak/keycloak'
    strategy:
      matrix:
        container: [keycloak, keycloak-operator]
      fail-fast: false
    steps:
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d
        with:
          image-ref: quay.io/keycloak/${{ matrix.container}}:nightly
          format: template
          template: '@/contrib/sarif.tpl'
          output: trivy-results.sarif
          severity: MEDIUM,CRITICAL,HIGH
          ignore-unfixed: true
          security-checks: vuln
          timeout: 15m

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: trivy-results.sarif
Automatic scan Keycloak docker image for vulnerabilities (#10777) * Automatic scan Keycloak docker image for vulnerabilities The changes proposed here will run Trivy scanner twice a day to search vulnerabilities into our main images. Resolves #10764 Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> * Update .github/workflows/trivy-analysis.yml Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> Co-authored-by: Stian Thorgersen <stian@redhat.com> 2022-03-29 14:17:20 +00:00			`name: Trivy`
Keycloak CI workflow refactoring (#15968) * Keycloak CI workflow refactoring Closes #15861 * Update testsuite/integration-arquillian/tests/base/testsuites/base-suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update testsuite/integration-arquillian/tests/base/testsuites/suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update testsuite/integration-arquillian/tests/base/testsuites/suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update CodeQL actions Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> 2022-12-14 15:12:23 +00:00
Automatic scan Keycloak docker image for vulnerabilities (#10777) * Automatic scan Keycloak docker image for vulnerabilities The changes proposed here will run Trivy scanner twice a day to search vulnerabilities into our main images. Resolves #10764 Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> * Update .github/workflows/trivy-analysis.yml Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> Co-authored-by: Stian Thorgersen <stian@redhat.com> 2022-03-29 14:17:20 +00:00			`on:`
Keycloak CI workflow refactoring (#15968) * Keycloak CI workflow refactoring Closes #15861 * Update testsuite/integration-arquillian/tests/base/testsuites/base-suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update testsuite/integration-arquillian/tests/base/testsuites/suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update testsuite/integration-arquillian/tests/base/testsuites/suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update CodeQL actions Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> 2022-12-14 15:12:23 +00:00			`workflow_dispatch:`
Automatic scan Keycloak docker image for vulnerabilities (#10777) * Automatic scan Keycloak docker image for vulnerabilities The changes proposed here will run Trivy scanner twice a day to search vulnerabilities into our main images. Resolves #10764 Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> * Update .github/workflows/trivy-analysis.yml Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> Co-authored-by: Stian Thorgersen <stian@redhat.com> 2022-03-29 14:17:20 +00:00
Keycloak CI workflow refactoring (#15968) * Keycloak CI workflow refactoring Closes #15861 * Update testsuite/integration-arquillian/tests/base/testsuites/base-suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update testsuite/integration-arquillian/tests/base/testsuites/suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update testsuite/integration-arquillian/tests/base/testsuites/suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update CodeQL actions Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> 2022-12-14 15:12:23 +00:00			`defaults:`
			`run:`
			`shell: bash`
Automatic scan Keycloak docker image for vulnerabilities (#10777) * Automatic scan Keycloak docker image for vulnerabilities The changes proposed here will run Trivy scanner twice a day to search vulnerabilities into our main images. Resolves #10764 Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> * Update .github/workflows/trivy-analysis.yml Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> Co-authored-by: Stian Thorgersen <stian@redhat.com> 2022-03-29 14:17:20 +00:00
Keycloak CI workflow refactoring (#15968) * Keycloak CI workflow refactoring Closes #15861 * Update testsuite/integration-arquillian/tests/base/testsuites/base-suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update testsuite/integration-arquillian/tests/base/testsuites/suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update testsuite/integration-arquillian/tests/base/testsuites/suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update CodeQL actions Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> 2022-12-14 15:12:23 +00:00			`jobs:`
Automatic scan Keycloak docker image for vulnerabilities (#10777) * Automatic scan Keycloak docker image for vulnerabilities The changes proposed here will run Trivy scanner twice a day to search vulnerabilities into our main images. Resolves #10764 Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> * Update .github/workflows/trivy-analysis.yml Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> Co-authored-by: Stian Thorgersen <stian@redhat.com> 2022-03-29 14:17:20 +00:00
Keycloak CI workflow refactoring (#15968) * Keycloak CI workflow refactoring Closes #15861 * Update testsuite/integration-arquillian/tests/base/testsuites/base-suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update testsuite/integration-arquillian/tests/base/testsuites/suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update testsuite/integration-arquillian/tests/base/testsuites/suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update CodeQL actions Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> 2022-12-14 15:12:23 +00:00			`analysis:`
			`name: Vulnerability scanner for nightly containers`
			`runs-on: ubuntu-latest`
			`if: github.repository == 'keycloak/keycloak'`
			`strategy:`
			`matrix:`
			`container: [keycloak, keycloak-operator]`
			`fail-fast: false`
Automatic scan Keycloak docker image for vulnerabilities (#10777) * Automatic scan Keycloak docker image for vulnerabilities The changes proposed here will run Trivy scanner twice a day to search vulnerabilities into our main images. Resolves #10764 Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> * Update .github/workflows/trivy-analysis.yml Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> Co-authored-by: Stian Thorgersen <stian@redhat.com> 2022-03-29 14:17:20 +00:00			`steps:`
			`- name: Run Trivy vulnerability scanner`
Bump aquasecurity/trivy-action from 0.17.0 to 0.18.0 Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.17.0 to 0.18.0. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](https://github.com/aquasecurity/trivy-action/compare/84384bd6e777ef152729993b8145ea352e9dd3ef...062f2592684a31eb3aa050cc61e7ca1451cecd3d) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> 2024-03-01 00:56:28 +00:00			`uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d`
Automatic scan Keycloak docker image for vulnerabilities (#10777) * Automatic scan Keycloak docker image for vulnerabilities The changes proposed here will run Trivy scanner twice a day to search vulnerabilities into our main images. Resolves #10764 Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> * Update .github/workflows/trivy-analysis.yml Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> Co-authored-by: Stian Thorgersen <stian@redhat.com> 2022-03-29 14:17:20 +00:00			`with:`
Keycloak CI workflow refactoring (#15968) * Keycloak CI workflow refactoring Closes #15861 * Update testsuite/integration-arquillian/tests/base/testsuites/base-suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update testsuite/integration-arquillian/tests/base/testsuites/suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update testsuite/integration-arquillian/tests/base/testsuites/suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update CodeQL actions Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> 2022-12-14 15:12:23 +00:00			`image-ref: quay.io/keycloak/${{ matrix.container}}:nightly`
			`format: template`
Automatic scan Keycloak docker image for vulnerabilities (#10777) * Automatic scan Keycloak docker image for vulnerabilities The changes proposed here will run Trivy scanner twice a day to search vulnerabilities into our main images. Resolves #10764 Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> * Update .github/workflows/trivy-analysis.yml Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> Co-authored-by: Stian Thorgersen <stian@redhat.com> 2022-03-29 14:17:20 +00:00			`template: '@/contrib/sarif.tpl'`
Keycloak CI workflow refactoring (#15968) * Keycloak CI workflow refactoring Closes #15861 * Update testsuite/integration-arquillian/tests/base/testsuites/base-suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update testsuite/integration-arquillian/tests/base/testsuites/suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update testsuite/integration-arquillian/tests/base/testsuites/suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update CodeQL actions Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> 2022-12-14 15:12:23 +00:00			`output: trivy-results.sarif`
			`severity: MEDIUM,CRITICAL,HIGH`
Automatic scan Keycloak docker image for vulnerabilities (#10777) * Automatic scan Keycloak docker image for vulnerabilities The changes proposed here will run Trivy scanner twice a day to search vulnerabilities into our main images. Resolves #10764 Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> * Update .github/workflows/trivy-analysis.yml Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> Co-authored-by: Stian Thorgersen <stian@redhat.com> 2022-03-29 14:17:20 +00:00			`ignore-unfixed: true`
Trivy Workflow failing with context deadline exceeded Closes #16974 2023-02-09 15:30:49 +00:00			`security-checks: vuln`
			`timeout: 15m`
Automatic scan Keycloak docker image for vulnerabilities (#10777) * Automatic scan Keycloak docker image for vulnerabilities The changes proposed here will run Trivy scanner twice a day to search vulnerabilities into our main images. Resolves #10764 Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> * Update .github/workflows/trivy-analysis.yml Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> Co-authored-by: Stian Thorgersen <stian@redhat.com> 2022-03-29 14:17:20 +00:00
			`- name: Upload Trivy scan results to GitHub Security tab`
Bump github/codeql-action from 2 to 3 (#25557) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/v2...v3) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2024-01-02 11:47:02 +00:00			`uses: github/codeql-action/upload-sarif@v3`
Automatic scan Keycloak docker image for vulnerabilities (#10777) * Automatic scan Keycloak docker image for vulnerabilities The changes proposed here will run Trivy scanner twice a day to search vulnerabilities into our main images. Resolves #10764 Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> * Update .github/workflows/trivy-analysis.yml Co-authored-by: Václav Muzikář <vaclav@muzikari.cz> Co-authored-by: Stian Thorgersen <stian@redhat.com> 2022-03-29 14:17:20 +00:00			`with:`
Keycloak CI workflow refactoring (#15968) * Keycloak CI workflow refactoring Closes #15861 * Update testsuite/integration-arquillian/tests/base/testsuites/base-suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update testsuite/integration-arquillian/tests/base/testsuites/suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update testsuite/integration-arquillian/tests/base/testsuites/suite.sh Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> * Update CodeQL actions Co-authored-by: Hynek Mlnařík <hmlnarik@users.noreply.github.com> 2022-12-14 15:12:23 +00:00			`sarif_file: trivy-results.sarif`