Use the trivy action instead of hand-roll

authzed · Oct 25, 2024 · c8e739c · c8e739c
1 parent a56b412
commit c8e739c
Showing 1 changed file with 11 additions and 4 deletions.
diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
@@ -77,7 +77,14 @@ jobs:
           GORELEASER_KEY: "${{ secrets.GORELEASER_KEY }}"
       - name: "Obtain container image to scan"
         run: 'echo "IMAGE_VERSION=$(jq .version dist/linux_amd64_v1/metadata.json --raw-output)" >> $GITHUB_ENV'
-      - name: "run trivy on release image"
-        # NOTE: the --registry-token flag is used to ensure that we're making an authenticated request to ghcr; otherwise we get
-        # rate-limited.
-        run: "docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image --registry-token ${{ secrets.GITHUB_TOKEN }} --format table --exit-code 1 --ignore-unfixed --no-progress --severity CRITICAL,HIGH,MEDIUM authzed/spicedb:v${{ env.IMAGE_VERSION }}-amd64"
+      - uses: "aquasecurity/trivy-action@master"
+        name: "run trivy on release image"
+        with:
+          scan-type: "image"
+          scan-ref: "authzed/spicedb:v${{ env.IMAGE_VERSION }}-amd64"
+          ignore-unfixed: true
+          format: "table"
+          exit-code: "1"
+          severity: "CRITICAL,HIGH,MEDIUM"
+          # We already set up trivy in a previous step
+          skip-setup-trivy: true