Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change trivy scan to use caching due to the amount of timeouts #37

Merged
merged 1 commit into from
Nov 11, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 15 additions & 51 deletions .github/workflows/trivy-scan.yml
Original file line number Diff line number Diff line change
Expand Up @@ -63,16 +63,11 @@ jobs:

# Build Binary File
./hack/build.sh
- name: Install trivy
run: |
set -o pipefail

# https://aquasecurity.github.io/trivy/v0.18.3/installation/
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy

- name: Trivy Cache
uses: yogeshlonkar/trivy-cache-action@v0
with:
gh-token: ${{ secrets.githubToken }}

- name: Read dismissed CVEs from Github
run: |
Expand All @@ -87,49 +82,18 @@ jobs:
--header 'authorization: Bearer ${{ secrets.githubToken }}' > cves.txt
cat cves.txt| jq '.[] | select(.state == "dismissed" or .state == "closed" or .state == "fixed") | .rule.id' | tr -d '"' > .trivyignore

- name: Run trivy to generate reports
env:
GITHUB_TOKEN: ${{ secrets.githubToken }}
run: |
set -o pipefail
# Generate trivy report in sarif format
trivy rootfs --ignore-unfixed --format sarif --output trivy-results.sarif ${{ inputs.tool }}

# Generate trivy report in json format
trivy rootfs --ignore-unfixed --format json --output results.json ${{ inputs.tool }}
- name: Run Trivy scanner output sarif
uses: aquasecurity/[email protected]
with:
scan-type: 'fs'
scan-ref: '${{ inputs.tool }}'
format: 'sarif'
severity: 'HIGH,CRITICAL'
output: 'trivy-results.sarif'
exit-code: 1

- name: Upload Trivy scan results to GitHub Security tab
if: always()
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'

- name: Create Issues Summary
id: cve-summary
run: |
# We should fail the github action even if there is an issue with `jq` parsing. Hence set -o pipefail
set -o pipefail
summary=$(jq '.Results[]? | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | tostring' results.json | tr -d \\ | tr -d '"')

if [ -n $summary ]
then
echo "Summary: $summary"
echo "::set-output name=summary::$summary"
else
echo "No new Issues where found"
fi

- name: Send Slack Notification if Scan Ran Successfully
if: steps.cve-summary.outputs.summary != ''
uses: slackapi/[email protected]
with:
payload: "{\"tool\":\"${{ inputs.tool }}\",\"result\":\"Success\", \"summary\": \"${{ steps.cve-summary.outputs.summary }}\"}"
env:
SLACK_WEBHOOK_URL: ${{ secrets.slackWebhookURL }}

- name: Send Slack Notification if Scan Failed
if: failure()
uses: slackapi/[email protected]
with:
payload: "{\"tool\":\"${{ inputs.tool }}\",\"result\":\"Failed\", \"summary\": \"Please review the scan information in Github\"}"
env:
SLACK_WEBHOOK_URL: ${{ secrets.slackWebhookURL }}
Loading