Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CI] Add Trivy vulnerables check #6

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 48 additions & 0 deletions .github/workflows/trivy_check.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
name: Trivy check for sub repos

on:
pull_request:
push:
branches:
- main

jobs:
test:
name: Trivy check for sub repos
runs-on: [self-hosted, regular]

steps:
- name: Checkout repository
uses: actions/checkout@v2

- name: Check and Install Latest Trivy
run: |
mkdir -p $HOME/bin

LATEST_VERSION=$(curl -sL https://api.github.com/repos/aquasecurity/trivy/releases/latest | jq -r ".tag_name")
CLEAN_VERSION=${LATEST_VERSION#v}

INSTALL_TRIVY=true

if [[ -f "$HOME/bin/trivy" ]]; then
INSTALLED_VERSION=$("$HOME/bin/trivy" --version | grep -oE 'Version: [0-9]+\.[0-9]+\.[0-9]+' | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')
if [ "$INSTALLED_VERSION" == "$CLEAN_VERSION" ]; then
echo "Trivy is already up-to-date (version $INSTALLED_VERSION)."
INSTALL_TRIVY=false
else
echo "Updating Trivy from version $INSTALLED_VERSION to $CLEAN_VERSION."
fi
else
echo "Trivy is not installed. Installing version $CLEAN_VERSION."
fi

if [ "$INSTALL_TRIVY" = true ]; then
wget https://github.com/aquasecurity/trivy/releases/download/$LATEST_VERSION/trivy_${CLEAN_VERSION}_Linux-64bit.tar.gz -O trivy.tar.gz
tar zxvf trivy.tar.gz -C $HOME/bin
fi

echo "$HOME/bin" >> $GITHUB_PATH

- name: Run Trivy vulnerability scanner in fs mode
run: |
trivy fs . --quiet --config trivy.yaml
79 changes: 79 additions & 0 deletions .github/workflows/trivy_image_check.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
name: Trivy images check

env:
MODULES_MODULE_NAME: ${{ vars.MODULE_NAME }}
MODULES_MODULE_SOURCE: ${{ vars.DEV_MODULE_SOURCE }}
PR_NUMBER: ${{ github.event.pull_request.number }}
MODULES_REGISTRY: ${{ vars.DEV_REGISTRY }}
MODULES_REGISTRY_LOGIN: ${{ vars.DEV_MODULES_REGISTRY_LOGIN }}
MODULES_REGISTRY_PASSWORD: ${{ secrets.DEV_MODULES_REGISTRY_PASSWORD }}

on:
pull_request:

jobs:
test:
name: Trivy images check
runs-on: [self-hosted, regular]

steps:
- uses: actions/checkout@v4
- uses: deckhouse/modules-actions/setup@v1

- name: Check and Install Latest Trivy
run: |
mkdir -p $HOME/bin

LATEST_VERSION=$(curl -sL https://api.github.com/repos/aquasecurity/trivy/releases/latest | jq -r ".tag_name")
CLEAN_VERSION=${LATEST_VERSION#v}

INSTALL_TRIVY=true

if [[ -f "$HOME/bin/trivy" ]]; then
INSTALLED_VERSION=$("$HOME/bin/trivy" --version | grep -oE 'Version: [0-9]+\.[0-9]+\.[0-9]+' | grep -oE '[0-9]+\.[0-9]+\.[0-9]+')
if [ "$INSTALLED_VERSION" == "$CLEAN_VERSION" ]; then
echo "Trivy is already up-to-date (version $INSTALLED_VERSION)."
INSTALL_TRIVY=false
else
echo "Updating Trivy from version $INSTALLED_VERSION to $CLEAN_VERSION."
fi
else
echo "Trivy is not installed. Installing version $CLEAN_VERSION."
fi

if [ "$INSTALL_TRIVY" = true ]; then
wget https://github.com/aquasecurity/trivy/releases/download/$LATEST_VERSION/trivy_${CLEAN_VERSION}_Linux-64bit.tar.gz -O trivy.tar.gz
tar zxvf trivy.tar.gz -C $HOME/bin
fi

echo "$HOME/bin" >> $GITHUB_PATH

- name: Run Trivy vulnerability scanner in image mode
run: |
exit_code=0
image_name=$MODULES_MODULE_SOURCE/$MODULES_MODULE_NAME
image_name_with_tag=$MODULES_MODULE_SOURCE/$MODULES_MODULE_NAME:pr$PR_NUMBER

crane_output=$(crane export $image_name_with_tag | tar -xOf - images_digests.json | jq -c 'to_entries[]')

while read -r item; do
key=$(echo "$item" | jq -r '.key')
value=$(echo "$item" | jq -r '.value')

echo 'Checking image '$key' '$value

trivy image --quiet --config trivy-silent.yaml --format table $image_name@$value

result=$(trivy image --quiet --config trivy-silent.yaml --format json $image_name@$value)

vulnerabilities=$(echo "$result" | jq '[.Results[]? | select(has("Vulnerabilities")) | .Vulnerabilities | length] | add // 0')

if [ "$vulnerabilities" -gt 0 ]; then
echo "There are vulnerabilities in image"
exit_code=1
else
echo "There are no vulnerabilities in image"
fi
done <<< "$crane_output"

exit $exit_code
1 change: 1 addition & 0 deletions trivy-silent.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
exit-code: 0
2 changes: 2 additions & 0 deletions trivy.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
format: table
exit-code: 1
Loading