widgets/.github/workflows/aqua.yml at master · alma/widgets · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
name: Aqua

on:
  pull_request:
    branches:
      - master

jobs:
  aqua:
    name: Code scanning
    runs-on: ubuntu-24.04

    permissions:
      contents: read
      id-token: write

    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          show-progress: false

      - name: Authenticate to Google Cloud
        id: gcloud-auth
        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
        with:
          token_format: access_token
          workload_identity_provider: projects/699052769907/locations/global/workloadIdentityPools/github-identity-pool-shared/providers/github-identity-provider-shared  # yamllint disable-line
          service_account: [email protected]

      - name: Authenticate to Artifact Registry
        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          registry: europe-docker.pkg.dev
          username: oauth2accesstoken
          password: ${{ steps.gcloud-auth.outputs.access_token }}

      - name: Run Aqua scanner
        uses: docker://aquasec/aqua-scanner
        env:
          AQUA_KEY: ${{ secrets.AQUA_KEY }}
          AQUA_SECRET: ${{ secrets.AQUA_SECRET }}
          GITHUB_TOKEN: ${{ github.token }}
          AQUA_URL: https://api.eu-1.supply-chain.cloud.aquasec.com
          CSPM_URL: https://eu-1.api.cloudsploit.com
          TRIVY_RUN_AS_PLUGIN: aqua
          TRIVY_DB_REPOSITORY: europe-docker.pkg.dev/lyrical-carver-335213/remote-cache-aquasec/trivy-db:2
        with:
          args: trivy fs --sast --reachability --scanners misconfig,vuln,secret .