-
Notifications
You must be signed in to change notification settings - Fork 1
137 lines (132 loc) · 5.53 KB
/
early-daily-trivy.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: Trivy Scan
on:
# every morning at 5am (winter) or 6am (summer) Berlin time
schedule:
- cron: "0 4 * * *"
# Allow to run this workflow manually
workflow_dispatch:
env:
CONTAINER_REGISTRY: ghcr.io
CONTAINER_IMAGE_NAME: ${{ github.repository }}
CONTAINER_IMAGE_VERSION: ${{ github.sha }} # sha of the last commit of the default branch
jobs:
reset-trivy-cache:
runs-on: ubuntu-latest
steps:
# TODO with latest release 0.24.0 there is no environment variable for resetting cache anymore
# GH issue: https://github.com/aquasecurity/trivy-action/issues/372
# - name: Remove all caches and database of the trivy scanner
# uses: aquasecurity/trivy-action@d9cd5b1c23aaf8cb31bb09141028215828364bbb
# env:
# TRIVY_RESET: true
# with:
# scan-type: "image"
- name: Download trivy vulnerabilities DB
uses: aquasecurity/trivy-action@d9cd5b1c23aaf8cb31bb09141028215828364bbb
env:
TRIVY_DOWNLOAD_DB_ONLY: true
with:
scan-type: "image"
- name: Download trivy Java index DB
uses: aquasecurity/trivy-action@d9cd5b1c23aaf8cb31bb09141028215828364bbb
env:
TRIVY_DOWNLOAD_JAVA_DB_ONLY: true
with:
scan-type: "image"
vulnerability-scan-frontend:
runs-on: ubuntu-latest
needs: reset-trivy-cache
permissions:
contents: read
id-token: write # for cosign w/ keyless signing
packages: write # for updating cosign attestation
security-events: write
steps:
- uses: actions/checkout@v4
- name: Run Trivy vulnerability file scanner
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: aquasecurity/trivy-action@d9cd5b1c23aaf8cb31bb09141028215828364bbb
with:
scan-type: "fs"
scan-ref: "./frontend"
skip-dirs: "node_modules" # See https://github.com/aquasecurity/trivy/issues/1283
format: "sarif"
output: "trivy-results.sarif"
- name: Check trivy results
run: |
if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
echo "Vulnerabilities found"
exit 1
else
echo "No significant vulnerabilities found"
exit 0
fi
- name: Upload Trivy file scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
with:
sarif_file: "trivy-results.sarif"
category: trivy-fs-scan
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() && github.ref == 'refs/heads/main' }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
vulnerability-scan-image:
runs-on: ubuntu-latest
needs: reset-trivy-cache
permissions:
contents: read
id-token: write # for cosign w/ keyless signing
packages: write # for updating cosign attestation
security-events: write
steps:
- uses: actions/checkout@v4
- name: Run Trivy vulnerability image scanner
uses: aquasecurity/trivy-action@d9cd5b1c23aaf8cb31bb09141028215828364bbb
with:
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
format: "sarif"
output: "trivy-results.sarif"
- name: Check trivy results
run: |
if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
echo "Vulnerabilities found"
exit 1
else
echo "No significant vulnerabilities found"
exit 0
fi
- name: Upload Trivy image scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
with:
sarif_file: "trivy-results.sarif"
category: trivy-image-scan
- name: Generate cosign vulnerability scan record
uses: aquasecurity/trivy-action@d9cd5b1c23aaf8cb31bb09141028215828364bbb
env:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
with:
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
format: "cosign-vuln"
output: "vuln.json"
- name: Install cosign
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382
- name: Log into container registry
uses: docker/login-action@3b8fed7e4b60203b2aa0ecc6c6d6d91d12c06760
with:
registry: ${{ env.CONTAINER_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Attest vulnerability scan
run: cosign attest --yes --replace --predicate vuln.json --type vuln ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
- name: Send status to Slack
uses: digitalservicebund/notify-on-failure-gha@814d0c4b2ad6a3443e89c991f8657b10126510bf # v1.5.0
if: ${{ failure() && github.ref == 'refs/heads/main' }}
with:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}