From 8b9aa467406a80da8d2b7ffac6f006bf8ae119ee Mon Sep 17 00:00:00 2001 From: Michal Nowacki Date: Mon, 4 Nov 2024 17:54:07 -0500 Subject: [PATCH] ci: add security scan with trivy Security scan with trivy will be run on push to main and dev, pull request, and daily. trivy will skip scanning vendor subdirectory because the agent is not using code from that directory. --- .github/workflows/security-scan.yml | 50 +++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 .github/workflows/security-scan.yml diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml new file mode 100644 index 000000000..0f3072cb1 --- /dev/null +++ b/.github/workflows/security-scan.yml @@ -0,0 +1,50 @@ +name: Security scan +on: + push: + branches: + - main + - dev + pull_request: + schedule: + - cron: '0 9 * * *' # Same time as CI Cron + +jobs: + trivy-scan: + runs-on: ubuntu-latest + steps: + - name: Checkout newrelic-php-agent code + uses: actions/checkout@v4 + with: + path: php-agent + - name: Run Trivy in table mode + # Table output is only useful when running on a pull request or push. + if: contains(fromJSON('["push", "pull_request"]'), github.event_name) + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: fs + scan-ref: ./php-agent + scanners: vuln,misconfig + skip-dirs: vendor + format: table + exit-code: 1 + ignore-unfixed: true + severity: CRITICAL,HIGH,MEDIUM,LOW + + - name: Run Trivy in report mode + # Only generate sarif when running nightly on the dev branch. + if: ${{ github.event_name == 'schedule' }} + uses: aquasecurity/trivy-action@0.28.0 + with: + scan-type: fs + skip-dirs: vendor + format: sarif + output: trivy-results.sarif + ignore-unfixed: true + severity: 'CRITICAL,HIGH,MEDIUM,LOW' + + - name: Upload Trivy scan results to GitHub Security tab + # Only upload sarif when running nightly on the dev branch. + if: ${{ github.event_name == 'schedule' }} + uses: aquasecurity/trivy-action@0.28.0 + with: + sarif_file: trivy-results.sarif