|
|
|
|
|
|
by flarecoder
81 days ago
|
|
|
Scans container images for vulnerabilities with Trivy running inside a sandboxed Docker container. This action is forked from aquasecurity/trivy-action with security hardened by running Trivy inside a sandboxed Docker container. Credits to Aqua Security for the original action. This action runs Trivy inside a Docker container with strict security settings to prevent container escape:
* --read-only filesystem — the container's root filesystem is read-only
* --cap-drop ALL — all Linux capabilities are dropped
* --security-opt no-new-privileges:true — prevents privilege escalation inside the container
* All scan targets are mounted read-only
* Only the output and cache directories are mounted writable
* A tmpfs is mounted at /tmp for Trivy's temporary files
* No direct Docker socket access — image scans use docker save to export a tar file which is mounted read-only into the container Contributions are welcome to improve this! |
|
|