Trivy Scan #250
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Trivy Scan | |
| on: | |
| # every morning at 5am (winter) or 6am (summer) Berlin time | |
| schedule: | |
| - cron: "0 4 * * *" | |
| # Allow to run this workflow manually | |
| workflow_dispatch: | |
| env: | |
| CONTAINER_REGISTRY: ghcr.io | |
| CONTAINER_IMAGE_NAME: ${{ github.repository }} | |
| CONTAINER_IMAGE_VERSION: ${{ github.sha }} # sha of the last commit of the default branch | |
| jobs: | |
| reset-trivy-cache: | |
| runs-on: ubuntu-latest | |
| steps: | |
| # TODO with latest release 0.24.0 there is no environment variable for resetting cache anymore | |
| # GH issue: https://github.com/aquasecurity/trivy-action/issues/372 | |
| # - name: Remove all caches and database of the trivy scanner | |
| # uses: aquasecurity/trivy-action@d9cd5b1c23aaf8cb31bb09141028215828364bbb | |
| # env: | |
| # TRIVY_RESET: true | |
| # with: | |
| # scan-type: "image" | |
| - name: Download trivy vulnerabilities DB | |
| uses: aquasecurity/trivy-action@97646fedde05bcd0961217c60b50e23f721e7ec7 | |
| env: | |
| TRIVY_DOWNLOAD_DB_ONLY: true | |
| with: | |
| scan-type: "image" | |
| - name: Download trivy Java index DB | |
| uses: aquasecurity/trivy-action@97646fedde05bcd0961217c60b50e23f721e7ec7 | |
| env: | |
| TRIVY_DOWNLOAD_JAVA_DB_ONLY: true | |
| with: | |
| scan-type: "image" | |
| vulnerability-scan-frontend: | |
| runs-on: ubuntu-latest | |
| needs: reset-trivy-cache | |
| permissions: | |
| contents: read | |
| id-token: write # for cosign w/ keyless signing | |
| packages: write # for updating cosign attestation | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Run Trivy vulnerability file scanner | |
| # Third-party action, pin to commit SHA! | |
| # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
| uses: aquasecurity/trivy-action@97646fedde05bcd0961217c60b50e23f721e7ec7 | |
| with: | |
| scan-type: "fs" | |
| scan-ref: "./frontend" | |
| skip-dirs: "node_modules" # See https://github.com/aquasecurity/trivy/issues/1283 | |
| format: "sarif" | |
| output: "trivy-results.sarif" | |
| - name: Check trivy results | |
| run: | | |
| if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then | |
| echo "Vulnerabilities found" | |
| exit 1 | |
| else | |
| echo "No significant vulnerabilities found" | |
| exit 0 | |
| fi | |
| - name: Upload Trivy file scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code.. | |
| with: | |
| sarif_file: "trivy-results.sarif" | |
| category: trivy-fs-scan | |
| - name: Send status to Slack | |
| # Third-party action, pin to commit SHA! | |
| # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions | |
| uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 | |
| if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
| with: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} | |
| vulnerability-scan-image: | |
| runs-on: ubuntu-latest | |
| needs: reset-trivy-cache | |
| permissions: | |
| contents: read | |
| id-token: write # for cosign w/ keyless signing | |
| packages: write # for updating cosign attestation | |
| security-events: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Run Trivy vulnerability image scanner | |
| uses: aquasecurity/trivy-action@97646fedde05bcd0961217c60b50e23f721e7ec7 | |
| with: | |
| image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
| format: "sarif" | |
| output: "trivy-results.sarif" | |
| - name: Check trivy results | |
| run: | | |
| if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then | |
| echo "Vulnerabilities found" | |
| exit 1 | |
| else | |
| echo "No significant vulnerabilities found" | |
| exit 0 | |
| fi | |
| - name: Upload Trivy image scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code.. | |
| with: | |
| sarif_file: "trivy-results.sarif" | |
| category: trivy-image-scan | |
| - name: Generate cosign vulnerability scan record | |
| uses: aquasecurity/trivy-action@97646fedde05bcd0961217c60b50e23f721e7ec7 | |
| env: | |
| TRIVY_USERNAME: ${{ github.actor }} | |
| TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
| format: "cosign-vuln" | |
| output: "vuln.json" | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 | |
| - name: Log into container registry | |
| uses: docker/login-action@3b8fed7e4b60203b2aa0ecc6c6d6d91d12c06760 | |
| with: | |
| registry: ${{ env.CONTAINER_REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Attest vulnerability scan | |
| run: cosign attest --yes --replace --predicate vuln.json --type vuln ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }} | |
| - name: Send status to Slack | |
| uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0 | |
| if: ${{ failure() && github.ref == 'refs/heads/main' }} | |
| with: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} |