ci: replace aquasecurity/trivy-action with inline binary
The trivy-action does an internal actions/checkout against github.com/aquasecurity/trivy, which fails on Gitea (act_runner injects Gitea creds; clone returns exit 128). Switch to the same inline-download pattern we use for gitleaks. Refs: M0.2
This commit is contained in:
@@ -47,12 +47,13 @@ jobs:
|
||||
/tmp/gitleaks detect --source . --no-banner --redact --verbose --exit-code 1
|
||||
|
||||
- name: trivy fs scan
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
scan-type: fs
|
||||
severity: HIGH,CRITICAL
|
||||
exit-code: 1
|
||||
ignore-unfixed: true
|
||||
shell: bash
|
||||
run: |
|
||||
set -euo pipefail
|
||||
TRIVY_VERSION=0.50.0
|
||||
curl -fsSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" \
|
||||
| tar -xz -C /tmp trivy
|
||||
/tmp/trivy fs --severity HIGH,CRITICAL --exit-code 1 --no-progress --skip-dirs node_modules,target,dist .
|
||||
|
||||
validate:
|
||||
runs-on: docker
|
||||
|
||||
Reference in New Issue
Block a user