diff --git a/.github/workflows/pulsar-ci.yaml b/.github/workflows/pulsar-ci.yaml index 6b18ba54a8875..7a835dc0a5371 100644 --- a/.github/workflows/pulsar-ci.yaml +++ b/.github/workflows/pulsar-ci.yaml @@ -658,25 +658,26 @@ jobs: src/check-binary-license.sh ./distribution/server/build/distributions/apache-pulsar-*-bin.tar.gz src/check-binary-license.sh ./distribution/shell/build/distributions/apache-pulsar-shell-*-bin.tar.gz -# - name: Run Trivy container scan -# id: trivy_scan -# uses: aquasecurity/trivy-action@v0.35.0 -# if: ${{ github.repository == 'apache/pulsar' && github.event_name != 'pull_request' }} -# continue-on-error: true -# with: -# image-ref: "apachepulsar/pulsar:latest" -# scanners: vuln -# severity: CRITICAL,HIGH,MEDIUM,LOW -# limit-severities-for-sarif: true -# format: 'sarif' -# output: 'trivy-results.sarif' -# -# - name: Upload Trivy scan results to GitHub Security tab -# uses: github/codeql-action/upload-sarif@v3 -# if: ${{ steps.trivy_scan.outcome == 'success' && github.repository == 'apache/pulsar' && github.event_name != 'pull_request' }} -# continue-on-error: true -# with: -# sarif_file: 'trivy-results.sarif' + - name: Run Trivy container scan + id: trivy_scan + uses: lhotari/sandboxed-trivy-action@555963036b2012b44c1071508a236e569db28ebb + if: ${{ github.repository == 'apache/pulsar' && github.event_name != 'pull_request' }} + continue-on-error: true + with: + scan-type: 'image' + scan-ref: "apachepulsar/pulsar:latest" + scanners: vuln + severity: CRITICAL,HIGH,MEDIUM,LOW + limit-severities-for-sarif: true + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v4 + if: ${{ steps.trivy_scan.outcome == 'success' && github.repository == 'apache/pulsar' && github.event_name != 'pull_request' }} + continue-on-error: true + with: + sarif_file: 'trivy-results.sarif' - name: Save docker image to file run: |