-
Notifications
You must be signed in to change notification settings - Fork 2
118 lines (109 loc) · 4.57 KB
/
scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
name: Scan
on:
schedule:
- cron: "0 7 * * *"
# Allow to run this workflow manually
workflow_dispatch:
env:
CONTAINER_REGISTRY: ghcr.io
CONTAINER_IMAGE_NAME: ${{ github.repository }}
CONTAINER_IMAGE_VERSION: latest
jobs:
# reset-trivy-cache:
# runs-on: ubuntu-latest
# steps:
# # TODO with latest release 0.24.0 there is no environment variable for resetting cache anymore
# # GH issue: https://github.com/aquasecurity/trivy-action/issues/372
# #
# - name: Remove all caches and database of the trivy scanner
# uses: aquasecurity/trivy-action@f781cce5aab226378ee181d764ab90ea0be3cdd8 # v0.25.0
# env:
# TRIVY_RESET: true
# TRIVY_DEBUG: true
# with:
# scan-type: "image"
# - name: Download trivy vulnerabilities DB
# uses: aquasecurity/trivy-action@f781cce5aab226378ee181d764ab90ea0be3cdd8 # v0.25.0
# env:
# TRIVY_DEBUG: true
# TRIVY_DOWNLOAD_DB_ONLY: true
# with:
# scan-type: "image"
vulnerability-scan-backend:
runs-on: ubuntu-latest
# needs: reset-trivy-cache
strategy:
matrix:
container-name:
[
"${{ github.repository }}",
"${{ github.repository }}-app",
"${{ github.repository }}-content",
]
permissions:
contents: read
id-token: write # for cosign w/ keyless signing
packages: write # for updating cosign attestation
security-events: write
steps:
- uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ matrix.container-name }}:${{ env.CONTAINER_IMAGE_VERSION }}
format: "sarif"
output: "trivy-results.sarif"
- name: Check trivy results
run: |
if grep -qE 'HIGH|CRITICAL' trivy-results.sarif; then
echo "Vulnerabilities found:"
jq -r '
.runs[].results[] |
"Rule ID: \(.ruleId)\n" +
"Package: \(.message.text | split("\n")[0] | ltrimstr("Package: "))\n" +
"Installed Version: \(.message.text | split("\n")[1] | ltrimstr("Installed Version: "))\n" +
"Severity: \(.message.text | split("\n")[2] | ltrimstr("Severity: "))\n" +
"\(.message.text | split("\n")[4] | ltrimstr("Link: "))\n"
' trivy-results.sarif
# Exit with error status
exit 1
else
echo "No significant vulnerabilities found"
exit 0
fi
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
with:
sarif_file: "trivy-results.sarif"
- name: Generate cosign vulnerability scan record
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ matrix.container-name }}:${{ env.CONTAINER_IMAGE_VERSION }}
format: "cosign-vuln"
output: "vulnerabilities.json"
- name: Install cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Log into container registry
uses: docker/login-action@v3
with:
registry: ${{ env.CONTAINER_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Pull latest docker image
run: docker pull ghcr.io/digitalservicebund/a2j-rechtsantragstelle:latest
- name: Get Docker image digest
id: get_docker_digest
run: |
digest=$(docker inspect --format='{{ index .RepoDigests 0 }}' ghcr.io/digitalservicebund/a2j-rechtsantragstelle:latest)
echo "::set-output name=digest::$digest"
- name: Print Docker image digest
run: echo "Image latest digest is ${{ steps.get_docker_digest.outputs.digest }}\n"
- name: Set up environment
run: echo "IMAGE_DIGEST=${{ steps.get_docker_digest.outputs.digest }}" >> $GITHUB_ENV
- name: Attest vulnerability scan
run: cosign attest --yes --replace --predicate vulnerabilities.json --type vuln $IMAGE_DIGEST