35 行
827 B
YAML
35 行
827 B
YAML
# LAB ONLY
|
|
# 用途: 文件系统、配置与秘密扫描
|
|
# 目标范围: 自有代码仓和实验目录
|
|
# 风险: 可能报告历史样例、测试密钥或教学用漏洞文件
|
|
# 不适用: 未经白名单梳理直接作为生产阻断策略
|
|
name: trivy-fs
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
trivy-fs:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install Trivy
|
|
run: |
|
|
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
|
|
|
|
- name: Scan repository
|
|
run: |
|
|
trivy fs \
|
|
--scanners vuln,secret,config \
|
|
--severity HIGH,CRITICAL \
|
|
--exit-code 0 \
|
|
.
|