Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add trivy scan #70

Closed
wants to merge 6 commits into from
Closed

add trivy scan #70

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
e8e93f4
add trivy scan
Tianhao-Gu Aug 21, 2024
6087bf9
skip output as table
Tianhao-Gu Aug 21, 2024
5a92fc6
try template
Tianhao-Gu Aug 21, 2024
3e7a81c
try clean up docker resources
Tianhao-Gu Aug 21, 2024
39f9f68
try repo scan instead
Tianhao-Gu Aug 21, 2024
9c191a8
add comments
Tianhao-Gu Aug 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/pr_build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,5 +39,5 @@ jobs:
secrets: inherit
trivy-scans:
if: (github.base_ref == 'develop' || github.base_ref == 'main' || github.base_ref == 'master' ) && github.event.pull_request.merged == false
uses: kbase/.github/.github/workflows/reusable_trivy-scans.yml@main
uses: ./.github/workflows/trivy.yml
secrets: inherit
60 changes: 60 additions & 0 deletions .github/workflows/trivy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,60 @@
name: "Trivy Scans"

on:
workflow_call:

jobs:
build:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
name: Build
runs-on: "ubuntu-20.04"
# Steps are copied from https://github.com/kbase/.github/blob/main/.github/workflows/reusable_trivy-scans.yml
# In order to avoid 'no space left on device' error, we are not building a Docker image
# Instead, we are scanning the repository code directly (change scan-type from 'image' to 'fs')
steps:
- name: Checkout code
uses: actions/checkout@v4

# - name: Build an image from Dockerfile
# run: |
# git config --global --add safe.directory $GITHUB_WORKSPACE;
# docker build -t trivy-test .

- name: Run Trivy vulnerability scanner, output as table
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
format: "table"
output: "trivy-results.tbl"
timeout: "20m0s"

- name: Check for log4j CVEs
run: |
set -e
for cve in CVE-2021-4104 CVE-2021-44228 CVE-2021-45046 CVE-2022-22965 ; do
if grep -c $cve trivy-results.tbl > 0;
then
echo "Found log4j error: $cve"
exit 2
fi
done
# If above doesn't find errors, return pass message:
echo "Did not find core log4j errors, yay!"

- name: Rerun Trivy vulnerability scanner for GitHub security
uses: aquasecurity/trivy-action@master
if: always()
with:
scan-type: 'fs'
format: "sarif"
output: "trivy-results.sarif"
timeout: "20m0s"
ignore-unfixed: true

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
Loading