-
Notifications
You must be signed in to change notification settings - Fork 30
137 lines (124 loc) · 6.03 KB
/
trivy-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: Trivy CVE Dependency Scanner
on:
schedule:
- cron: '0 0 * * *'
workflow_dispatch:
jobs:
scan-latest-release:
runs-on: ubuntu-latest
steps:
- name: Get Latest Release Docker Image Sha
id: latest-sha
run: |
# Get the latest released docker image sha
curl -sL https://api.github.com/repos/carvel-dev/secretgen-controller/releases/latest | jq -r '.assets[].browser_download_url' | wget -i -
echo ::set-output name=image::$(yq eval '.spec.template.spec.containers[0].image' release.yml -N -j | jq 'select(. != null)' -r)
echo ::set-output name=tag::$(curl -sL https://api.github.com/repos/carvel-dev/secretgen-controller/releases/latest | jq -r '.tag_name')
- name: Install Trivy
run: |
# https://aquasecurity.github.io/trivy/v0.18.3/installation/
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
- name: Run Trivy
run: |
trivy image ${{ steps.latest-sha.outputs.image }}
trivy image --format json --output trivy-results-image-latest.json ${{ steps.latest-sha.outputs.image }}
- name: Check for new Vulnerabilities
run: |
set -o pipefail
summary="Trivy scan has found new vulnerabilities in ${{steps.latest-sha.outputs.tag}} check https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}"
vulnCount=$(jq '[ .Results[]? | select(.Vulnerabilities) | .Vulnerabilities ] | length' trivy-results-image-latest.json)
if [[ $vulnCount -eq 0 ]]; then
summary="Trivy Scan has not found any new Security Issues in ${{steps.latest-sha.outputs.tag}}"
fi
echo "SUMMARY=$summary" >> $GITHUB_ENV
- name: Send Slack Notification
if: success()
uses: slackapi/[email protected]
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
with:
channel-id: C010XR15VHU
slack-message: "${{ env.SUMMARY }}"
- name: Send Failure notification
if: failure()
uses: slackapi/[email protected]
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
with:
channel-id: C010XR15VHU
slack-message: "Trivy scan workflow [${{steps.latest-sha.outputs.tag}}] failed. Please check the latest github action run for trivy scanner."
scan-develop-branch:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Checkout
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Set up Go 1.x
uses: actions/setup-go@v3
with:
go-version: 1.23.3
- name: Build the secretgen-controller artifacts
run: |
curl -L https://carvel.dev/install.sh | bash
./hack/build.sh
# docker image
docker buildx build -t docker.io/carvel/secretgen-controller:${{ github.sha }} .
- name: Install Trivy
run: |
# https://aquasecurity.github.io/trivy/v0.18.3/installation/
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
# download the sarif format template
git clone --depth 1 https://github.com/aquasecurity/trivy
- name: Run Trivy Reports
run: |
export TRIVY_IGNORE_UNFIXED=true
export TRIVY_SEVERITY="MEDIUM,HIGH,CRITICAL"
export TRIVY_TEMPLATE="@trivy/contrib/sarif.tpl"
# secretgen-controller binary - output in sarif and json
trivy rootfs --format template --output trivy-results-binary.sarif "controller"
trivy rootfs --format json --output trivy-results-binary.json "controller"
# secretgen-controller docker image - output in sarif and json
trivy image --format template --output trivy-results-image.sarif "docker.io/carvel/secretgen-controller:${{ github.sha }}"
trivy image --format json --output trivy-results-image.json "docker.io/carvel/secretgen-controller:${{ github.sha }}"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: '.'
- name: Check for new Vulnerabilities
run: |
set -o pipefail
summary="Trivy scan has found new vulnerabilities - check https://github.com/carvel-dev/secretgen-controller/security/code-scanning for more"
vulnCountBinary=$(jq '[ .Results[]? | select(.Vulnerabilities) | .Vulnerabilities ] | length' trivy-results-binary.json)
vulnCountImage=$(jq '[ .Results[]? | select(.Vulnerabilities) | .Vulnerabilities ] | length' trivy-results-image.json)
if [[ $vulnCountImage -eq 0 && $vulnCountBinary -eq 0 ]]
then
summary="Trivy Scan has not found any new Security Issues"
fi
echo "SUMMARY=$summary" >> $GITHUB_ENV
- name: Send Slack Notification
if: success()
uses: slackapi/[email protected]
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
with:
channel-id: C010XR15VHU
slack-message: "${{ env.SUMMARY }}"
- name: Send Failure notification
if: failure()
uses: slackapi/[email protected]
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
with:
channel-id: C010XR15VHU
slack-message: "Trivy scan workflow failed. Please check the latest github action run for trivy scanner."