diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 3cbb9d90..1e09fa8c 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -5,7 +5,7 @@ on: # Publish `master` as Docker `master` tag. # See also https://github.com/crazy-max/ghaction-docker-meta#basic branches: - - master + - trivy-ci-scan # Publish `v1.2.3` tags as releases. tags: @@ -101,3 +101,76 @@ jobs: - name: Image digest run: echo ${{ steps.docker_build.outputs.digest }} + + - name: Run Trivy vulnerability scanner on Docker image - JSON + uses: aquasecurity/trivy-action@master + with: + image-ref: ghcr.io/${{ steps.docker_meta.outputs.tags }} + format: json + output: 'trivy-dhis2-fhir-adapter-results.json' + + - name: Run Trivy vulnerability scanner on Docker image - SARIF + uses: aquasecurity/trivy-action@master + with: + image-ref: ghcr.io/${{ steps.docker_meta.outputs.tags }} + format: sarif + ignore-unfixed: true + output: 'trivy-dhis2-fhir-adapter-docker-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-dhis2-fhir-adapter-docker-results.sarif' + + + - name: Create summary of trivy issues on Docker image + run: | + summary=$(jq -r '.Results[] | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | .[] | [.Severity, .Count] | join(": ")' trivy-results.json | awk 'NR > 1 { printf(" | ") } {printf "%s",$0}') + if [ -z $summary ] + then + summary="0 Issues" + fi + echo "SUMMARY=$summary" >> $GITHUB_ENV + + - name: Generate trivy HTML report on Docker image for download + uses: aquasecurity/trivy-action@master + with: + image-ref: ghcr.io/${{ steps.docker_meta.outputs.tags }} + format: 'template' + template: '@/contrib/html.tpl' + output: 'trivy-results-dhis2-fhir-adapter-docker-report.html' + + - name: Upload Trivy results as an artifact + uses: actions/upload-artifact@v3 + with: + name: "trivy-results-dhis2-fhir-adapter-docker-report.html" + path: './trivy-results-dhis2-fhir-adapter-docker-report.html' + retention-days: 30 + + # - name: Send Slack Notification + # uses: slackapi/slack-github-action@v1.19.0 + # with: + # payload: | + # { + # "text": "Trivy scan results for ${{ steps.docker_meta.outputs.tags }}", + # "blocks": [ + # { + # "type": "section", + # "text": { + # "type": "mrkdwn", + # "text": "Trivy scan results: ${{ env.SUMMARY }}" + # } + # }, + # { + # "type": "section", + # "text": { + # "type": "mrkdwn", + # "text": "View result artifact: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}. Artifact is only valid for 30 days." + # } + # } + # ] + # } + # env: + # SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} + # SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK + diff --git a/.github/workflows/trivy-repo-scan.yml b/.github/workflows/trivy-repo-scan.yml new file mode 100644 index 00000000..9fc3b983 --- /dev/null +++ b/.github/workflows/trivy-repo-scan.yml @@ -0,0 +1,26 @@ +name: Trivy Security Scan on OpenSRP-Server-Web repository +on: + push: + branches: + - trivy-ci-scan + pull_request: +jobs: + build: + name: Build + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v3 + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-dhis2-fhir-adapter-repo-results.sarif' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-dhis2-fhir-adapter-repo-results.sarif' \ No newline at end of file