Update trivy.yml

[helenwangjia]

trivyのwarning:The ubuntu-18.04 environment is deprecated, consider switching to ubuntu-20.04(ubuntu-latest), or ubuntu-22.04 instead. For more details see https://github.com/actions/virtual-environments/issues/6002を対応しますので、ubuntu-22.04に修正します。

trivyのversionも最新版にupdateしました。

[helenwangjia]

name: trivy
on:
  push:
    branches:
      - master
      - linter
  schedule:
    - cron: '0 0 * * 1'
jobs:
  build:
    name: Static Analysis
    runs-on: ubuntu-22.04
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
        
      - name: get trivy
        run: |
          wget https://github.com/aquasecurity/trivy/releases/download/v0.44.1/trivy_0.44.1_Linux-64bit.deb
          sudo dpkg -i trivy_0.44.1_Linux-64bit.deb


      - name: Build an image from Dockerfile
        run: |
          trivy fs osect_sensor/

↑でローカルテストした結果：

[osect_so@ OsecT] (update-trivy *%=)(unified-it-o-63054301)$ sudo act -W .github/workflows/trivy.yml
[trivy/Static Analysis] 🚀  Start image=catthehacker/ubuntu:act-22.04
[trivy/Static Analysis]   🐳  docker pull image=catthehacker/ubuntu:act-22.04 platform= username= forcePull=true
[trivy/Static Analysis]   🐳  docker create image=catthehacker/ubuntu:act-22.04 platform= entrypoint=["tail" "-f" "/dev/null"] cmd=[]
[trivy/Static Analysis]   🐳  docker run image=catthehacker/ubuntu:act-22.04 platform= entrypoint=["tail" "-f" "/dev/null"] cmd=[]
[trivy/Static Analysis] ⭐ Run Main Checkout code
[trivy/Static Analysis]   🐳  docker cp src=/home/osect_so/OsecT/. dst=/home/osect_so/OsecT
[trivy/Static Analysis]   ✅  Success - Main Checkout code
[trivy/Static Analysis] ⭐ Run Main get trivy
[trivy/Static Analysis]   🐳  docker exec cmd=[bash --noprofile --norc -e -o pipefail /var/run/act/workflow/1] user= workdir=
| --2023-08-24 23:28:41--  https://github.com/aquasecurity/trivy/releases/download/v0.44.1/trivy_0.44.1_Linux-64bit.deb
| Resolving github.com (github.com)... 20.27.177.113
| Connecting to github.com (github.com)|20.27.177.113|:443... connected.
| HTTP request sent, awaiting response... 302 Found
| Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/180687624/9efac8ed-bebe-42ec-b982-65cc8accc410?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230824%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230824T232841Z&X-Amz-Expires=300&X-Amz-Signature=386793e68ae40381ec131935914c942918b33525842bf124b90a26cd344c3622&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=180687624&response-content-disposition=attachment%3B%20filename%3Dtrivy_0.44.1_Linux-64bit.deb&response-content-type=application%2Foctet-stream [following]
| --2023-08-24 23:28:42--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/180687624/9efac8ed-bebe-42ec-b982-65cc8accc410?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20230824%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20230824T232841Z&X-Amz-Expires=300&X-Amz-Signature=386793e68ae40381ec131935914c942918b33525842bf124b90a26cd344c3622&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=180687624&response-content-disposition=attachment%3B%20filename%3Dtrivy_0.44.1_Linux-64bit.deb&response-content-type=application%2Foctet-stream
| Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.111.133, 185.199.109.133, 185.199.108.133, ...
| Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.111.133|:443... connected.
| HTTP request sent, awaiting response... 200 OK
| Length: 54685068 (52M) [application/octet-stream]
| Saving to: ‘trivy_0.44.1_Linux-64bit.deb’
| 
trivy_0.44.1_Linux- 100%[===================>]  52.15M  43.7MB/s    in 1.2s    
| 
| 2023-08-24 23:28:43 (43.7 MB/s) - ‘trivy_0.44.1_Linux-64bit.deb’ saved [54685068/54685068]
| 
| Selecting previously unselected package trivy.
(Reading database ... 25543 files and directories currently installed.)
| Preparing to unpack trivy_0.44.1_Linux-64bit.deb ...
| Unpacking trivy (0.44.1) ...
| Setting up trivy (0.44.1) ...
[trivy/Static Analysis]   ✅  Success - Main get trivy
[trivy/Static Analysis] ⭐ Run Main Build an image from Dockerfile
[trivy/Static Analysis]   🐳  docker exec cmd=[bash --noprofile --norc -e -o pipefail /var/run/act/workflow/2] user= workdir=
| 2023-08-24T23:28:45.583Z      INFO    Need to update DB
| 2023-08-24T23:28:45.583Z      INFO    DB Repository: ghcr.io/aquasecurity/trivy-db
| 2023-08-24T23:28:45.583Z      INFO    Downloading DB...
| 
| 2023-08-24T23:28:47.912Z      INFO    Vulnerability scanning is enabled
| 2023-08-24T23:28:47.912Z      INFO    Secret scanning is enabled
| 2023-08-24T23:28:47.912Z      INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
| 2023-08-24T23:28:47.912Z      INFO    Please see also https://aquasecurity.github.io/trivy/v0.44/docs/scanner/secret/#recommendation for faster secret detection
| 2023-08-24T23:28:48.145Z      INFO    Number of language-specific files: 1
| 2023-08-24T23:28:48.145Z      INFO    Detecting pip vulnerabilities...
[trivy/Static Analysis]   ✅  Success - Main Build an image from Dockerfile
[trivy/Static Analysis] 🏁  Job succeeded

/home/runner/work/ はGitHub Actionsの実行環境内のファイルシステムにあります。このディレクトリにリポジトリのコードをクローンして、workflowで定義された各ステップを実行します。ローカルテストのために、一応trivy fs osect_sensor/でosect_sensorをscanしました。
通りました。