diff --git a/.github/workflows/shared-publish-java-to-docker-versioned.yaml b/.github/workflows/shared-publish-java-to-docker-versioned.yaml index 48977fdb..23d84e58 100644 --- a/.github/workflows/shared-publish-java-to-docker-versioned.yaml +++ b/.github/workflows/shared-publish-java-to-docker-versioned.yaml @@ -180,33 +180,14 @@ jobs: JAR_VERSION=${{ steps.version.outputs.new_version }} IMAGE_VERSION=${{ steps.version.outputs.new_version }} - - name: Generate Trivy vulnerability scan report - uses: aquasecurity/trivy-action@0.14.0 - if: inputs.publish_vulnerabilities == 'true' - with: - image-ref: ${{ steps.extractImageTag.outputs.firstTag }} - format: 'sarif' - exit-code: '0' - ignore-unfixed: true - severity: 'CRITICAL,HIGH' - output: 'trivy-results.sarif' - hide-progress: true - - - name: Upload Trivy scan report to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - if: inputs.publish_vulnerabilities == 'true' - with: - sarif_file: 'trivy-results.sarif' - - - name: Test with Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.14.0 - with: - image-ref: ${{ steps.extractImageTag.outputs.firstTag }} - format: 'table' - exit-code: '1' - ignore-unfixed: true - severity: ${{ inputs.vulnerability_severity }} - hide-progress: true + - name: Vulnerability Scan + uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@v2 + with: + scan_severity: HIGH,CRITICAL + failure_severity: ${{ inputs.vulnerability_severity }} + publish_vulnerabilities: ${{ inputs.publish_vulnerabilities }} + image_ref: ${{ steps.extractImageTag.outputs.firstTag }} + scan_type: image - name: Push to Docker uses: docker/build-push-action@v5 diff --git a/.github/workflows/shared-validate-image.yaml b/.github/workflows/shared-validate-image.yaml index 7d8bfaef..78670114 100644 --- a/.github/workflows/shared-validate-image.yaml +++ b/.github/workflows/shared-validate-image.yaml @@ -95,39 +95,12 @@ jobs: JAR_VERSION=${{ steps.package.outputs.jar_version }} IMAGE_VERSION=${{ steps.package.outputs.jar_version }}-${{ steps.package.outputs.git_commit }} - - name: Run Trivy vulnerability scanner and report to GitHub - uses: aquasecurity/trivy-action@0.14.0 + - name: Vulnerability Scan + uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@v2 with: - image-ref: ${{ steps.meta.outputs.tags }} - format: 'sarif' - exit-code: '0' - ignore-unfixed: true - severity: ${{ inputs.failure_severity }} - output: 'trivy-results.sarif' - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - if: inputs.upload_vulnerabilities - with: - sarif_file: 'trivy-results.sarif' - - - name: Local vulnerability scanner for MEDIUM,HIGH,CRITICAL for reporting - uses: aquasecurity/trivy-action@0.14.0 - with: - image-ref: ${{ steps.meta.outputs.tags }} - format: 'table' - exit-code: '0' - ignore-unfixed: true - severity: 'MEDIUM,HIGH,CRITICAL' - hide-progress: true - - - name: Local vulnerability scanner fail for given severity - uses: aquasecurity/trivy-action@0.14.0 - if: inputs.fail_on_error - with: - image-ref: ${{ steps.meta.outputs.tags }} - format: 'table' - exit-code: '1' - ignore-unfixed: true - severity: ${{ inputs.failure_severity }} - hide-progress: true + scan_severity: HIGH,CRITICAL + failure_severity: ${{ inputs.vulnerability_severity }} + publish_vulnerabilities: ${{ inputs.publish_vulnerabilities }} + image_ref: ${{ steps.meta.outputs.tags }} + scan_type: image + full_report: 'true' diff --git a/actions/vulnerability_scan/action.yaml b/actions/vulnerability_scan/action.yaml index 9e7812a7..c6ff3161 100644 --- a/actions/vulnerability_scan/action.yaml +++ b/actions/vulnerability_scan/action.yaml @@ -16,6 +16,9 @@ inputs: scan_type: description: The scan-type for aquasecurity/trivy-action action. Default to a fs scan. default: fs + full_report: + description: Whether to scan and report for MEDIUM,HIGH,CRITICAL + default: 'false' runs: using: "composite" steps: @@ -32,8 +35,48 @@ runs: cp tmp-vulnerability-scan/trivy-secret.yaml ./trivy-secret.yaml rm -rf tmp-vulnerability-scan + - name: Setup oras + uses: oras-project/setup-oras@v1 + + - name: Get current date + id: date + shell: bash + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + + - name: Check Cache for Databases + id: cache-check + uses: actions/cache@v4 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }} + + - name: Download and extract the vulnerability DB + if: ${{ !steps.cache-check.outputs.cache-hit }} + shell: bash + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db + oras pull ghcr.io/aquasecurity/trivy-db:2 + tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db + rm db.tar.gz + + - name: Download and extract the Java DB + if: ${{ !steps.cache-check.outputs.cache-hit }} + shell: bash + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db + oras pull ghcr.io/aquasecurity/trivy-java-db:1 + tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db + rm javadb.tar.gz + + - name: Cache DBs + uses: actions/cache/save@v4 + if: ${{ !steps.cache-check.outputs.cache-hit }} + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }} + - name: Generate Trivy vulnerability scan report - uses: aquasecurity/trivy-action@0.14.0 + uses: aquasecurity/trivy-action@0.26.0 if: inputs.publish_vulnerabilities == 'true' with: image-ref: ${{ inputs.image_ref }} @@ -44,6 +87,9 @@ runs: severity: ${{ inputs.scan_severity }} output: 'trivy-results.sarif' hide-progress: true + env: + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Upload Trivy scan report to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 @@ -51,8 +97,23 @@ runs: with: sarif_file: 'trivy-results.sarif' + - name: Local vulnerability scanner for MEDIUM,HIGH,CRITICAL for reporting + if: ${{ inputs.full_report == 'true' }} + uses: aquasecurity/trivy-action@0.26.0 + with: + image-ref: ${{ inputs.image_ref }} + scan-type: ${{ inputs.scan_type }} + format: 'table' + exit-code: '0' + ignore-unfixed: true + severity: 'MEDIUM,HIGH,CRITICAL' + hide-progress: true + env: + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true + - name: Test with Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.14.0 + uses: aquasecurity/trivy-action@0.26.0 with: image-ref: ${{ inputs.image_ref }} scan-type: ${{ inputs.scan_type }} @@ -61,3 +122,6 @@ runs: ignore-unfixed: true severity: ${{ inputs.failure_severity }} hide-progress: true + env: + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true diff --git a/actions/vulnerability_scan_filesystem/action.yaml b/actions/vulnerability_scan_filesystem/action.yaml index 42a10efe..f4dd120e 100644 --- a/actions/vulnerability_scan_filesystem/action.yaml +++ b/actions/vulnerability_scan_filesystem/action.yaml @@ -27,8 +27,48 @@ runs: cp tmp-vulnerability-scan/trivy-secret.yaml ./trivy-secret.yaml rm -rf tmp-vulnerability-scan + - name: Setup oras + uses: oras-project/setup-oras@v1 + + - name: Get current date + id: date + shell: bash + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + + - name: Check Cache for Databases + id: cache-check + uses: actions/cache@v4 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }} + + - name: Download and extract the vulnerability DB + if: ${{ !steps.cache-check.outputs.cache-hit }} + shell: bash + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db + oras pull ghcr.io/aquasecurity/trivy-db:2 + tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db + rm db.tar.gz + + - name: Download and extract the Java DB + if: ${{ !steps.cache-check.outputs.cache-hit }} + shell: bash + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db + oras pull ghcr.io/aquasecurity/trivy-java-db:1 + tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db + rm javadb.tar.gz + + - name: Cache DBs + uses: actions/cache/save@v4 + if: ${{ !steps.cache-check.outputs.cache-hit }} + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }} + - name: Generate Trivy vulnerability scan report - uses: aquasecurity/trivy-action@0.14.0 + uses: aquasecurity/trivy-action@0.26.0 if: inputs.publish_vulnerabilities == 'true' with: scan-type: 'fs' @@ -38,6 +78,9 @@ runs: severity: ${{ inputs.scan_severity }} output: 'trivy-results.sarif' hide-progress: true + env: + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true - name: Upload Trivy scan report to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 @@ -46,7 +89,7 @@ runs: sarif_file: 'trivy-results.sarif' - name: Test with Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.14.0 + uses: aquasecurity/trivy-action@0.26.0 with: scan-type: 'fs' format: 'table' @@ -54,3 +97,6 @@ runs: ignore-unfixed: true severity: ${{ inputs.failure_severity }} hide-progress: true + env: + TRIVY_SKIP_DB_UPDATE: true + TRIVY_SKIP_JAVA_DB_UPDATE: true