Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: trivy and ort implementation #34

Merged
merged 1 commit into from
Jul 12, 2024
Merged

feat: trivy and ort implementation #34

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions .github/workflows/weekly_vuln_scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
# SPDX-FileCopyrightText: 2024 PNED G.I.E.
# SPDX-License-Identifier: Apache-2.0

name: Scan Latest Two Semantically Versioned Image with Trivy and ORT

on:
schedule:
- cron: "0 14 * * 1" # Works on Every Monday at 14:00 UTC
workflow_dispatch:

env:
IMAGE_NAME: ghcr.io/genomicdatainfrastructure/gdi-userportal-dataset-discovery-service
LATEST_PATCHES: ""

jobs:
fetch-and-scan:
runs-on: ubuntu-latest
steps:
- name: Setup Docker
run: sudo service docker start

- name: Login to GitHub Container Registry
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

- name: List Docker Image Tags and Fetch Latest Two
run: |
IMAGE="ghcr.io/genomicdatainfrastructure/gdi-userportal-dataset-discovery-service"
echo "Fetching Docker image tags..."
RESPONSE=$(curl -s -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" "https://api.github.com/orgs/genomicdatainfrastructure/packages/container/gdi-userportal-dataset-discovery-service/versions")

# Log the response for debugging
echo "Response from curl: $RESPONSE"

# Extract tags and creation dates, then sort by creation date
TAGS_WITH_DATES=$(echo "$RESPONSE" | jq -r '.[] | .metadata.container.tags[] as $tag | select($tag | test("^sha-[a-z0-9]+$")) | "\($tag) \(.created_at)"' | sort -k2 -r)

# Get the latest tag from each of the latest two minor versions
LATEST_TAGS=$(echo "$TAGS_WITH_DATES" | awk '{split($1, a, "."); key=a[1] "." a[2]; if (!seen[key]++) print $1}' | head -n 2 | tr '\n' ' ')

# Print the results
echo "Tags fetched: $LATEST_TAGS"

echo "LATEST_PATCHES=$LATEST_TAGS" >> $GITHUB_ENV

- name: Pull and Scan Docker Images with Trivy
run: |
IFS=' ' read -ra TAGS <<< "${{ env.LATEST_PATCHES }}"
for TAG in "${TAGS[@]}"
do
IMAGE_TAG="ghcr.io/genomicdatainfrastructure/gdi-userportal-dataset-discovery-service:$TAG"
echo "Pulling $IMAGE_TAG"
docker pull $IMAGE_TAG || exit 1
echo "Scanning $IMAGE_TAG with Trivy"
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy:latest image --severity CRITICAL,HIGH --exit-code 1 "$IMAGE_TAG" || exit 1

done

- name: OSS Review Toolkit (ORT) Analysis
uses: actions/checkout@v4
with:
repository: ${{ github.repository }}

- uses: oss-review-toolkit/ort-ci-github-action@7f23c1f8d169dad430e41df223d3b8409c7a156e
with:
allow-dynamic-versions: "true"
fail-on: "issues"
run: "cache-dependencies,cache-scan-results,labels,analyzer,evaluator,advisor,reporter,upload-results"