Skip to content

Add aquasecurity/trivy-action #135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
lhotari wants to merge 2 commits into from
Closed

Add aquasecurity/trivy-action #135

lhotari wants to merge 2 commits into from

Conversation

@lhotari
Copy link
Member

@lhotari lhotari commented Mar 31, 2025
edited
Loading

Request for adding a new GitHub Action to the allow list

Overview

GitHub Action for Trivy security scanner.

Name of action:
aquasecurity/trivy-action

URL of action:
https://github.com/marketplace/actions/aqua-security-trivy
https://github.com/aquasecurity/trivy-action

Version to pin to (branch, tag, hash):
0.31.0

Checklist

You should be able to check most of these boxes for an action to be considered for review.
Please check all boxes that currently apply:

  • The action is listed in the GitHub Actions Marketplace
  • The action is not already on the list of approved actions
  • The action has a sufficient number of contributors or has contributors within the ASF community
  • The action has a clearly defined license
  • The action is actively developed or maintained
  • The action has CI/unit tests configured

assignUser
assignUser suggested changes Mar 31, 2025
View reviewed changes
Copy link
Member

@assignUser assignUser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here, please pin the SHA of the latest release.

@assignUser
Copy link
Member

assignUser commented Mar 31, 2025

The actions uses aquasecurity/[email protected] which is not pinned to a sha (funny how the security scanner is not following best practice ^^) so that will prevent this to run even after the PR is merged.

I commented on the related issue that hasn't gotten much attention: aquasecurity/trivy-action#423

@lhotari
Copy link
Member Author

lhotari commented Apr 2, 2025

The actions uses aquasecurity/[email protected] which is not pinned to a sha (funny how the security scanner is not following best practice ^^) so that will prevent this to run even after the PR is merged.

I commented on the related issue that hasn't gotten much attention: aquasecurity/trivy-action#423

@assignUser Thanks for the great analysis. I opened PR aquasecurity/trivy-action#456 to address the issue in trivy-action.

@lhotari lhotari marked this pull request as draft April 2, 2025 14:27
@assignUser
Copy link
Member

assignUser commented Jun 24, 2025

@lhotari the fix was released with 0.31.0 if you rebase and update the hashes we can proceed with this!

@lhotari
Copy link
Member Author

lhotari commented Jun 24, 2025

@lhotari the fix was released with 0.31.0 if you rebase and update the hashes we can proceed with this!

rebased and added the hash for 0.31.0 . Please review @assignUser . I didn't remove * since I guess it will expire soon.

@lhotari lhotari marked this pull request as ready for review June 24, 2025 22:29
@lhotari lhotari requested a review from assignUser June 24, 2025 22:29
@raboof
Copy link
Member

raboof commented Jun 25, 2025
edited
Loading

If I understand correctly Trivy is a 'verified creator' and for that reason doesn't need to be allowlisted. If that's true (I'm 85% confident) we should probably document that instead of allowlisting this action?

@assignUser
Copy link
Member

assignUser commented Jun 25, 2025

@raboof I am 100% against having that setting turned on and we will turn that off once we turn the tags and wildcards off too I would guess.

@lhotari could you remove the wildcard please? We won't be adding any new ones, just keeping the legacy ones around.

@dfoulks1 dfoulks1 closed this Jul 24, 2025
@assignUser
Copy link
Member

assignUser commented Jul 24, 2025

@dfoulks1 ?

@assignUser assignUser mentioned this pull request Aug 30, 2025
Merged
assignUser added a commit that referenced this pull request Aug 30, 2025
@assignUser
feat(gateway): Test for blocked subactions (#279)
cdd2a82 
Composite Actions can have sub-actions that also need to satisfy our allow list but we currently don't have a way to check this. #276 #135

This 'runs' the dummy job but doesn't run any of the actions, this means the runner will download all actions and in that process any new/changed sub-actions would trigger the allow list.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@assignUser assignUser Awaiting requested review from assignUser

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@lhotari @assignUser @raboof @dfoulks1