From 0507df2413d81f3f591fad548ab2d0ac6ace034e Mon Sep 17 00:00:00 2001 From: Fredrik Wrede Date: Fri, 15 Nov 2024 16:00:26 +0000 Subject: [PATCH 1/5] add trivy scan --- .github/workflows/build-containers.yaml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/build-containers.yaml b/.github/workflows/build-containers.yaml index 89648764e..3f55d9d6c 100644 --- a/.github/workflows/build-containers.yaml +++ b/.github/workflows/build-containers.yaml @@ -52,3 +52,13 @@ jobs: tags: ${{ steps.meta1.outputs.tags }} labels: ${{ steps.meta1.outputs.labels }} file: Dockerfile + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.28.0 + with: + image-ref: ${{ steps.meta1.outputs.tags }} + format: table + exit-code: 1 + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' From 0a1409efe555382ef31db887c9d027b2d2da2fe6 Mon Sep 17 00:00:00 2001 From: Fredrik Wrede Date: Fri, 15 Nov 2024 16:09:50 +0000 Subject: [PATCH 2/5] try --- .github/workflows/build-containers.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-containers.yaml b/.github/workflows/build-containers.yaml index 3f55d9d6c..83938417c 100644 --- a/.github/workflows/build-containers.yaml +++ b/.github/workflows/build-containers.yaml @@ -56,7 +56,7 @@ jobs: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.28.0 with: - image-ref: ${{ steps.meta1.outputs.tags }} + image-ref: ghcr.io/scaleoutsystems/fedn/fedn:0.19 format: table exit-code: 1 ignore-unfixed: true From 726567be0b502de845c1a38b38c79234d757ce4d Mon Sep 17 00:00:00 2001 From: Fredrik Wrede Date: Fri, 15 Nov 2024 16:27:28 +0000 Subject: [PATCH 3/5] test --- .github/workflows/build-containers.yaml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build-containers.yaml b/.github/workflows/build-containers.yaml index 83938417c..a95fa0801 100644 --- a/.github/workflows/build-containers.yaml +++ b/.github/workflows/build-containers.yaml @@ -53,12 +53,16 @@ jobs: labels: ${{ steps.meta1.outputs.labels }} file: Dockerfile - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.28.0 + # if push to master of release, run trivy scan on the image + - name: Trivy scan + #if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} + uses: aquasecurity/trivy-action@v0.28.0 with: - image-ref: ghcr.io/scaleoutsystems/fedn/fedn:0.19 + image-ref: ghcr.io/${{ github.repository }}/fedn:${{ steps.meta1.outputs.sha }} format: table - exit-code: 1 - ignore-unfixed: true - vuln-type: 'os,library' - severity: 'CRITICAL,HIGH' + exit-code: 0 + severity: HIGH,CRITICAL + ignore-unfixed: false + vuln-type: os,library,application + light: false + token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file From 3e676b7776197cd32b7ff4a24d036a4e2d72f426 Mon Sep 17 00:00:00 2001 From: Fredrik Wrede Date: Fri, 15 Nov 2024 16:29:02 +0000 Subject: [PATCH 4/5] fix --- .github/workflows/build-containers.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-containers.yaml b/.github/workflows/build-containers.yaml index a95fa0801..5566bf7de 100644 --- a/.github/workflows/build-containers.yaml +++ b/.github/workflows/build-containers.yaml @@ -48,7 +48,7 @@ jobs: - name: Build and push uses: docker/build-push-action@v4 with: - push: "${{ github.event_name != 'pull_request' }}" + push: true #"${{ github.event_name != 'pull_request' }}" tags: ${{ steps.meta1.outputs.tags }} labels: ${{ steps.meta1.outputs.labels }} file: Dockerfile @@ -56,7 +56,7 @@ jobs: # if push to master of release, run trivy scan on the image - name: Trivy scan #if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} - uses: aquasecurity/trivy-action@v0.28.0 + uses: aquasecurity/trivy-action@0.28.0 with: image-ref: ghcr.io/${{ github.repository }}/fedn:${{ steps.meta1.outputs.sha }} format: table From 30be61cc7cf63651bbf6233a1de0289e9c2b3aa6 Mon Sep 17 00:00:00 2001 From: Fredrik Wrede Date: Fri, 15 Nov 2024 16:36:35 +0000 Subject: [PATCH 5/5] fix --- .github/workflows/build-containers.yaml | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-containers.yaml b/.github/workflows/build-containers.yaml index 5566bf7de..0aa906558 100644 --- a/.github/workflows/build-containers.yaml +++ b/.github/workflows/build-containers.yaml @@ -55,14 +55,19 @@ jobs: # if push to master of release, run trivy scan on the image - name: Trivy scan - #if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} + if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} uses: aquasecurity/trivy-action@0.28.0 with: - image-ref: ghcr.io/${{ github.repository }}/fedn:${{ steps.meta1.outputs.sha }} - format: table + image-ref: ghcr.io/${{ github.repository }}/fedn:master + format: 'sarif' + output: 'trivy-results.sarif' exit-code: 0 severity: HIGH,CRITICAL ignore-unfixed: false vuln-type: os,library,application - light: false - token: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }} + with: + sarif_file: 'trivy-results.sarif' \ No newline at end of file