Skip to content

Commit

Permalink
[feat][ci] Add Trivy container scan Github workflow
Browse files Browse the repository at this point in the history 
This commit introduces a Github Actions workflow that runs a Trivy
container scan on the following Docker containers:

- apachepulsar/pulsar:3.2.0
- apachepulsar/pulsar-all:3.2.0

The workflow runs daily @ 0800 UTC and if it finds any vulnerabilities
of HIGH or CRITICAL severity it sends an email including the report
to the Pulsar DEV mailing list as well as upload the report to the
workflow run in Github.
  • Loading branch information
@onobc
onobc committed Feb 16, 2024
1 parent fc2e314 commit 1ca34a4
Showing 1 changed file with 92 additions and 0 deletions.
92 changes: 92 additions & 0 deletions .github/workflows/ci-trivy-container-scan.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements. See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership. The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied. See the License for the
# specific language governing permissions and limitations
# under the License.
#

name: CI - Trivy Container Scan
on:
schedule:
- cron: '0 8 * * *' # Every day at 8am UTC
workflow_dispatch:
inputs:
report-format:
description: 'Format of the report'
type: choice
default: table
options:
- table
- json
- sarif
severity:
description: "Severities to include (comma-separated or 'ALL' to include all)"
required: false
default: 'CRITICAL,HIGH'

jobs:
container_scan:
if: ${{ github.repository == 'apache/pulsar' }}
name: Trivy Docker image vulnerability scan
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
docker-image:
- 'apachepulsar/pulsar'
- 'apachepulsar/pulsar-all'
docker-tag:
- '3.2.0'
env:
IMAGE_REF: '${{ matrix.docker-image }}:${{ matrix.docker-tag }}'
steps:
- id: prepare-vars
shell: bash
run: |
IMAGE_REF_CLEAN="$(echo $IMAGE_REF | sed 's/-/_/g; s/\./_/g; s/:/_/g; s/\//_/g')"
echo "image_ref_clean=$IMAGE_REF_CLEAN" >> "$GITHUB_OUTPUT"
echo "report_filename=trivy-scan-$IMAGE_REF_CLEAN.${{ inputs.report-format }}" >> "$GITHUB_OUTPUT"
- name: Run Trivy container scan
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.IMAGE_REF }}
scanners: vuln
severity: ${{ inputs.severity != 'ALL' && inputs.severity || 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' }}
limit-severities-for-sarif: true
format: ${{ inputs.report-format }}
output: ${{ steps.prepare-vars.outputs.report_filename }}
exit-code: 1
- name: Email Trivy container scan report
uses: dawidd6/action-send-mail@v3
if: ${{ failure() }}
with:
server_address: smtp.gmail.com
server_port: 465
secure: true
username: ${{secrets.TRIVY_SCAN_MAIL_USERNAME}}
password: ${{secrets.TRIVY_SCAN_MAIL_PASSWORD}}
subject: Trivy container scan results for ${{ env.IMAGE_REF }}
to: [email protected]
from: Github Trivy Container Scanner
body: Trivy reported vulnerabilities (${{ inputs.severity }}) for ${{ env.IMAGE_REF }}
ignore_cert: true
attachments: '${{ github.workspace }}/${{ steps.prepare-vars.outputs.report_filename }}'
- name: Upload Trivy container scan report
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: trivy-vuln-report-${{ steps.prepare-vars.outputs.image_ref_clean }}
path: '${{ github.workspace }}/${{ steps.prepare-vars.outputs.report_filename }}'
retention-days: 15

0 comments on commit 1ca34a4

Please sign in to comment.