Spring4Shell/.github/workflows/pullrequest.yaml at main · stanezil/Spring4Shell · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
name: Aqua
on: pull_request
jobs:
  aqua:
    name: Aqua scanner
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Run Aqua scanner
        uses: docker://aquasec/aqua-scanner
        with:
          args: trivy fs --scanners config,vuln,secret --sast --reachability .
          # To customize which severities to scan for, add the following flag: --severity UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
          # To enable SAST scanning, add: --sast
          # To enable reachability scanning, add: --reachability
          # To enable npm/dotnet/gradle non-lock file scanning, add: --package-json / --dotnet-proj / --gradle
        env:
          AQUA_KEY: ${{ secrets.AQUA_KEY }}
          AQUA_SECRET: ${{ secrets.AQUA_SECRET }}
          GITHUB_TOKEN: ${{ github.token }}
          AQUA_URL: https://api.asia-1.supply-chain.cloud.aquasec.com
          CSPM_URL: https://asia-1.api.cloudsploit.com
          TRIVY_RUN_AS_PLUGIN: 'aqua'
          # For http/https proxy configuration add env vars: HTTP_PROXY/HTTPS_PROXY, CA-CRET (path to CA certificate)