Skip to content

Trivy CVE Dependency Scanner #237

Trivy CVE Dependency Scanner

Trivy CVE Dependency Scanner #237

Workflow file for this run

name: Trivy CVE Dependency Scanner
on:
schedule:
- cron: '0 0 * * *'
workflow_dispatch:
jobs:
scan-latest-release:
runs-on: ubuntu-latest
steps:
- name: Get Latest Release Docker Image Sha
id: latest-sha
run: |
set -eo pipefail
# Get the latest released docker image sha
curl -sL https://api.github.com/repos/carvel-dev/kapp-controller/releases/latest | jq -r '.assets[] | select(.name | contains("release.yml")).browser_download_url' | wget -i -
echo "image=$(yq eval '.spec.template.spec.containers[0].image' release.yml -N -oj | jq 'select(. != null)' -r)" >> $GITHUB_OUTPUT
echo "tag=$(curl -sL https://api.github.com/repos/carvel-dev/kapp-controller/releases/latest | jq -r '.tag_name')" >> $GITHUB_OUTPUT
- name: Install Trivy
run: |
# https://aquasecurity.github.io/trivy/v0.18.3/installation/
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
- name: Run Trivy
run: |
trivy image ${{ steps.latest-sha.outputs.image }}
trivy image --format json --output trivy-results-image-latest.json ${{ steps.latest-sha.outputs.image }}
- name: Check for new Vulnerabilities
run: |
set -eo pipefail
summary="Trivy scan has found \"new\" vulnerabilities in ${{steps.latest-sha.outputs.tag}} check https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}"
vulnCount=$(jq '[ .Results[].Vulnerabilities ] | length' trivy-results-image-latest.json)
if [[ $vulnCount -eq 0 ]]; then
summary="Trivy Scan has not found any new Security Issues in ${{steps.latest-sha.outputs.tag}}"
fi
echo "SUMMARY=$summary" >> "$GITHUB_ENV"
- name: Send Slack Notification
if: success()
uses: slackapi/[email protected]
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
with:
channel-id: C010XR15VHU
slack-message: "${{ env.SUMMARY }}"
- name: Send Failure notification
if: failure()
uses: slackapi/[email protected]
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
with:
channel-id: C010XR15VHU
slack-message: "Trivy scan workflow [${{steps.latest-sha.outputs.tag}}] failed. Please check the latest github action run for trivy scanner."
scan-develop-branch:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Checkout
uses: actions/[email protected]
with:
fetch-depth: 0
- name: Set up Go 1.x
uses: actions/setup-go@v5
with:
go-version: 1.21.9
- name: Build the kapp-controller artifacts
run: |
./hack/install-deps.sh
./hack/build.sh
# docker image
docker buildx build -t docker.io/carvel/kapp-controller:${{ github.sha }} .
# kctrl
cd cli
./hack/build.sh
mv ./kctrl ../
- name: Install Trivy
run: |
# https://aquasecurity.github.io/trivy/v0.18.3/installation/
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
- name: Read dismissed CVEs from Github
run: |
set -o pipefail
trap 'on_error' ERR
on_error() {
echo "the curl reply was:"
cat cves.txt
}
curl https://api.github.com/repos/carvel-dev/kapp-controller/code-scanning/alerts \
--header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' > cves.txt
cat cves.txt| jq '.[] | select(.state == "dismissed" or .state == "closed" or .state == "fixed") | .rule.id' | tr -d '"' > .trivyignore
- name: Run Trivy Reports
run: |
set -o pipefail
# kapp-controller binary - output in sarif and json
trivy rootfs --ignore-unfixed --format sarif --output trivy-results.sarif "controller"
trivy rootfs --ignore-unfixed --format json --output trivy-results.json "controller"
# kapp-controller docker image - output in sarif and json
trivy image --ignore-unfixed --format sarif --output trivy-results-image.sarif "docker.io/carvel/kapp-controller:${{ github.sha }}"
trivy image --ignore-unfixed --format json --output trivy-results-image.json "docker.io/carvel/kapp-controller:${{ github.sha }}"
# kctrl binary - output in sarif and json
trivy rootfs --ignore-unfixed --format sarif --output trivy-results-kctrl.sarif "kctrl"
trivy rootfs --ignore-unfixed --format json --output trivy-results-kctrl.json "kctrl"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: '.'
- name: Create Issues Summary
id: cve-summary
run: |
set -eo pipefail
summary_binary=$(jq '.Results[]? | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | tostring' trivy-results.json | tr -d \\ | tr -d '"')
summary_image=$(jq '.Results[]? | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | tostring' trivy-results-image.json | tr -d \\ | tr -d '"')
summary_kctrl=$(jq '.Results[]? | select(.Vulnerabilities) | .Vulnerabilities | group_by(.Severity) | map({Severity: .[0].Severity, Count: length}) | tostring' trivy-results-kctrl.json | tr -d \\ | tr -d '"')
summary=$( echo -e "Binary Image Summary:\n$summary_binary\nDocker Image Summary:\n$summary_image\nkctrl Summary:\n$summary_kctrl")
# Escape '%', '\n' and '\r' to support multiline strings with set-output
# https://github.com/orgs/community/discussions/26288
summary="${summary//'%'/'%25'}"
summary="${summary//$'\n'/'%0A'}"
summary="${summary//$'\r'/'%0D'}"
if [[ -n $summary_binary || -n $summary_image || -n $summary_kctrl ]]
then
echo "Summary: $summary"
echo "summary=$summary" >> $GITHUB_OUTPUT
else
echo "No new Issues were found"
fi
- name: Send Slack Notification if Scan Ran Successfully
if: steps.cve-summary.outputs.summary != ''
uses: slackapi/[email protected]
with:
slack-message: "New CVEs found! Check https://github.com/carvel-dev/kapp-controller/security/code-scanning for details \n ${{ steps.cve-summary.outputs.summary }}"
channel-id: C010XR15VHU
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
- name: Send Failure notification
if: failure()
uses: slackapi/[email protected]
env:
SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }}
with:
channel-id: C010XR15VHU
slack-message: "Trivy scan workflow failed. Check: https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}."