summaryrefslogtreecommitdiff
path: root/.github/workflows/security.yml
diff options
context:
space:
mode:
Diffstat (limited to '.github/workflows/security.yml')
-rw-r--r--.github/workflows/security.yml24
1 files changed, 13 insertions, 11 deletions
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 669d0f293..8a59e5062 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -24,21 +24,23 @@ jobs:
steps:
- name: Checkout
- uses: actions/checkout@v4
+ uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: "false"
- - name: Run Trivy scanner
- uses: aquasecurity/trivy-action@0.32.0
+ - name: Sync GHCS from Docker Scout
+ uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2
with:
- image-ref: "ghcr.io/searxng/searxng:latest"
- vuln-type: "os,library"
- severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
- ignore-unfixed: "false"
- format: "sarif"
- output: "./trivy-results.sarif"
+ organization: "searxng"
+ dockerhub-user: "${{ secrets.DOCKERHUB_USERNAME }}"
+ dockerhub-password: "${{ secrets.DOCKERHUB_TOKEN }}"
+ image: "registry://ghcr.io/searxng/searxng:latest"
+ command: "cves"
+ sarif-file: "./scout.sarif"
+ exit-code: "false"
+ write-comment: "false"
- name: Upload SARIFs
- uses: github/codeql-action/upload-sarif@v3
+ uses: github/codeql-action/upload-sarif@a4e1a019f5e24960714ff6296aee04b736cbc3cf # v3.29.6
with:
- sarif_file: "./trivy-results.sarif"
+ sarif_file: "./scout.sarif"
generated by cgit v1.2.3 (git 2.25.1) at 2026-03-03 20:15:50 +0000