Skip to content

Scan

Scan #565

Workflow file for this run

name: Scan
on:
schedule:
- cron: "0 6 * * *" # Every day at 8am
# Allow to run this workflow manually
workflow_dispatch:
env:
CONTAINER_REGISTRY: ghcr.io
CONTAINER_IMAGE_NAME: ${{ github.repository }}
CONTAINER_IMAGE_VERSION: ${{ github.sha }}
jobs:
reset-trivy-cache:
runs-on: ubuntu-latest
steps:
- name: Remove all caches and database of the trivy scanner
uses: aquasecurity/trivy-action@b77b85c0254bba6789e787844f0585cde1e56320
env:
TRIVY_RESET: true
TRIVY_DEBUG: true
with:
scan-type: "image"
- name: Download trivy vulnerabilities DB
uses: aquasecurity/trivy-action@b77b85c0254bba6789e787844f0585cde1e56320
env:
TRIVY_DEBUG: true
TRIVY_DOWNLOAD_DB_ONLY: true
with:
scan-type: "image"
- name: Download trivy Java index DB
uses: aquasecurity/trivy-action@b77b85c0254bba6789e787844f0585cde1e56320
env:
TRIVY_DEBUG: true
TRIVY_DOWNLOAD_JAVA_DB_ONLY: true
with:
scan-type: "image"
vulnerability-scan:
runs-on: ubuntu-latest
needs: reset-trivy-cache
permissions:
contents: read
id-token: write # for cosign w/ keyless signing
packages: write # for updating cosign attestation
security-events: write
steps:
- uses: actions/checkout@v4
- name: Run Trivy vulnerability scanner
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: aquasecurity/trivy-action@b77b85c0254bba6789e787844f0585cde1e56320
env:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
TRIVY_DEBUG: true
with:
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
format: "sarif"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"
exit-code: "1" # Fail the build!
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
if: ${{ always() && github.ref == 'refs/heads/main' }} # Bypass non-zero exit code..
with:
sarif_file: "trivy-results.sarif"
- name: Generate cosign vulnerability scan record
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: aquasecurity/trivy-action@b77b85c0254bba6789e787844f0585cde1e56320
env:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
TRIVY_DEBUG: true
with:
image-ref: ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
format: "cosign-vuln"
output: "vuln.json"
- name: Install cosign
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19
- name: Log into container registry
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
with:
registry: ${{ env.CONTAINER_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Attest vulnerability scan
run: cosign attest --yes --replace --predicate vuln.json --type vuln ${{ env.CONTAINER_REGISTRY }}/${{ env.CONTAINER_IMAGE_NAME }}:${{ env.CONTAINER_IMAGE_VERSION }}
env:
COSIGN_EXPERIMENTAL: "true"
- name: Send status to Slack
# Third-party action, pin to commit SHA!
# See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions
uses: lazy-actions/slatify@c4847b8c84e3e8076fd3c42cc00517a10426ed65
if: ${{ failure() && github.ref == 'refs/heads/main' && env.SLACK_WEBHOOK_URL }}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
with:
type: ${{ job.status }}
job_name: "Vulnerability scan :point_right:"
mention: "here"
mention_if: "failure"
commit: true
url: ${{ secrets.SLACK_WEBHOOK_URL }}
token: ${{ secrets.GITHUB_TOKEN }}