diff --git a/.github/workflows/docker-image-scan.yml b/.github/workflows/docker-image-scan.yml index 46d0067a..f64ca416 100644 --- a/.github/workflows/docker-image-scan.yml +++ b/.github/workflows/docker-image-scan.yml @@ -63,7 +63,8 @@ jobs: with: asset_prefix: kong-gateway-dev-linux-amd64 image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.amd64_sha }} - skip_trivy_scan: true + skip_cis_scan: false + offline_cis_scan: true - name: Scan ARM64 Image digest if: steps.image_manifest_metadata.outputs.manifest_list_exists == 'true' && steps.image_manifest_metadata.outputs.arm64_sha != '' @@ -73,7 +74,7 @@ jobs: asset_prefix: test.kong-gateway-dev-linux-arm64 image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.arm64_sha }} upload-sbom-release-assets: true - skip_trivy_scan: false + skip_cis_scan: false test-download-sbom: if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }} diff --git a/security-actions/scan-docker-image/action.yml b/security-actions/scan-docker-image/action.yml index bb4432c2..1d8cc589 100644 --- a/security-actions/scan-docker-image/action.yml +++ b/security-actions/scan-docker-image/action.yml @@ -59,7 +59,7 @@ inputs: options: - 'true' - 'false' - skip_trivy_scan: + skip_cis_scan: required: false default: false description: 'Toggle to skip Trivy scan' @@ -67,6 +67,14 @@ inputs: options: - 'true' - 'false' + offline_cis_scan: + required: false + default: false + description: 'Skip db updates for docker cis scan and use offline mode. When set, results can be partial' + type: choice + options: + - 'true' + - 'false' outputs: cis-json-report: @@ -304,17 +312,18 @@ runs: - name: Generate docker-cis JSON report uses: docker://aquasec/trivy:0.55.2 - if: ${{ inputs.skip_trivy_scan != 'true' && steps.meta.outputs.scan_image != '' }} + if: ${{ inputs.skip_cis_scan != 'true' && steps.meta.outputs.scan_image != '' }} id: cis_json with: entrypoint: trivy - args: "image ${{ env.input }} ${{ steps.meta.outputs.scan_image }} --compliance ${{ env.compliance }} -f json --ignore-unfixed -o ${{ steps.meta.outputs.cis_json_file }}" + args: "image ${{ env.input }} ${{ steps.meta.outputs.scan_image }} --compliance ${{ env.compliance }} -f json --ignore-unfixed -o ${{ steps.meta.outputs.cis_json_file }} ${{ env.offline_cis_scan }}" env: compliance: docker-cis-1.6.0 input: ${{ steps.docker_tar.outputs.files_exists == 'true' && '--input' || '' }} + offline_cis_scan: ${{ inputs.offline_cis_scan == 'true' && '--skip-db-update --skip-java-db-update --offline-scan --skip-check-update' || '' }} - name: upload docker-cis JSON report - if: ${{ inputs.skip_trivy_scan != 'true' && steps.meta.outputs.scan_image != '' }} + if: ${{ inputs.skip_cis_scan != 'true' && steps.meta.outputs.scan_image != '' }} uses: actions/upload-artifact@v4 with: name: ${{ steps.meta.outputs.cis_json_file }} @@ -323,12 +332,13 @@ runs: if-no-files-found: warn - name: Inspect docker-cis report - if: ${{ inputs.skip_trivy_scan != 'true' && steps.meta.outputs.scan_image != '' }} + if: ${{ inputs.skip_cis_scan != 'true' && steps.meta.outputs.scan_image != '' }} uses: docker://aquasec/trivy:0.55.2 with: entrypoint: trivy - args: "image ${{ env.input }} ${{ steps.meta.outputs.scan_image }} --compliance ${{ env.compliance }} -f table --ignore-unfixed --exit-code ${{ env.exit-code }}" + args: "image ${{ env.input }} ${{ steps.meta.outputs.scan_image }} --compliance ${{ env.compliance }} -f table --ignore-unfixed --exit-code ${{ env.exit-code }} ${{ env.offline_cis_scan }}" env: exit-code: ${{ (steps.meta.outputs.global_enforce_build_failure == 'true' || inputs.fail_build == 'true') && '1' || '0' }} compliance: docker-cis-1.6.0 input: ${{ steps.docker_tar.outputs.files_exists == 'true' && '--input' || '' }} + offline_cis_scan: ${{ inputs.offline_cis_scan == 'true' && '--skip-db-update --skip-java-db-update --offline-scan --skip-check-update' || '' }}