mirror of
https://github.com/aquasecurity/trivy-action.git
synced 2026-05-14 03:02:40 +00:00
DmitriyLewen
e368e32897
* ci: add zizmor security linter for GitHub Actions * ci: disable advanced-security for zizmor * ci: pin all actions to commit hashes * ci: fix zizmor linter errors in workflows - Add explicit permissions blocks to all workflows - Set persist-credentials: false for checkout actions - Fix template injection by using env variables in run blocks * fix: address zizmor template injection warnings in action.yaml - Move inputs to env block to prevent template injection - Add ignore comment for github-env false positive * ci: fix remaining zizmor linter errors - Add permissions and persist-credentials to test.yaml - Fix ignore comment placement for github-env in action.yaml
49 lines
1.2 KiB
YAML
49 lines
1.2 KiB
YAML
name: Test
|
|
|
|
on:
|
|
push:
|
|
pull_request:
|
|
workflow_dispatch:
|
|
|
|
env:
|
|
TRIVY_VERSION: 0.69.1
|
|
BATS_LIB_PATH: '/usr/lib/'
|
|
|
|
jobs:
|
|
lint:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Run zizmor
|
|
uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
|
|
with:
|
|
advanced-security: false
|
|
|
|
test:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Setup Bats and bats libs
|
|
id: setup-bats
|
|
uses: bats-core/bats-action@42fcc8700f773c075a16a90eb11674c0318ad507 # 3.0.1
|
|
|
|
- name: Install Trivy
|
|
run: |
|
|
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v${{ env.TRIVY_VERSION }}
|
|
trivy --version
|
|
|
|
- name: Test
|
|
env:
|
|
BATS_LIB_PATH: ${{ steps.setup-bats.outputs.lib-path }}
|
|
run: make test
|