-
Notifications
You must be signed in to change notification settings - Fork 13
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
First attempt using intel/cve-bin-tool-action to scan for CVE on push.
- Loading branch information
1 parent
cc37a2a
commit 98195ac
Showing
1 changed file
with
69 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| name: CVE scanner | ||
| on: | ||
| # You can customize this according to your need. | ||
| - push | ||
| - pull_request | ||
| jobs: | ||
| build_and_scan: | ||
| runs-on: ubuntu-22.04 | ||
| steps: | ||
| - name: Install State Tool | ||
| uses: ActiveState/setup-state-tool@v1 | ||
|
|
||
| - name: Install Go | ||
| uses: actions/setup-go@v3 | ||
| with: | ||
| go-version: 1.22.x | ||
|
|
||
| # Get date utility for caching database. | ||
| - name: Get Date | ||
| id: get-date | ||
| run: | | ||
| echo "date=$(/bin/date -u "+%Y%m%d")" >> $GITHUB_OUTPUT | ||
| shell: bash | ||
| # Let's first download dependencies for this action. | ||
| - uses: actions/checkout@v2 | ||
| - name: Set up Python | ||
| uses: actions/setup-python@v4 | ||
| with: | ||
| python-version: '3.x' | ||
| # This second step is unnecessary but highly recommended because | ||
| # It will cache database and saves time redownloading it if database isn't stale. | ||
| - name: get cached python packages | ||
| uses: actions/cache@v3 | ||
| with: | ||
| path: ~/.cache/pip | ||
| key: ${{ runner.os }}-pip-${{ hashFiles('**/requirements.txt') }} | ||
| restore-keys: | | ||
| ${{ runner.os }}-pip- | ||
| - name: get cached database | ||
| uses: actions/cache@v3 | ||
| with: | ||
| path: cache | ||
| key: Linux-cve-bin-tool-${{ steps.get-date.outputs.date }} | ||
| - name: Install CVE Binary Tool | ||
| # We are using latest development version of CVE Binary Tool | ||
| # because current PyPI version don't have features like config file support, | ||
| # generating HTML report etc. | ||
| run: | | ||
| [[ -e cache ]] && mkdir -p .cache && mv cache ~/.cache/cve-bin-tool | ||
| pip install git+https://github.com/intel/cve-bin-tool@main | ||
| # In case you prefer current PyPI version, you need to hard code CLI options | ||
| # for cve-bin-tool in the action itself and have to use CSV or JSON as output format. | ||
| # pip install cve-bin-tool | ||
| - name: build package | ||
| run: | | ||
| state run preprocess | ||
| state run build | ||
| - name: Scan built package | ||
| run: cve-bin-tool build -f html -o cve-bin-tool-report.html -x | ||
| continue-on-error: true | ||
| # You need to set continue_on_error: true because CVE Binary Tool sets number of cves | ||
| # as exit code. And GitHub terminates action when process produces | ||
| # nonzero exit code status. | ||
| - name: Upload report as an artifact | ||
| # This will upload generated report as an GitHub artifact which you can download later. | ||
| uses: actions/upload-artifact@v2 | ||
| with: | ||
| name: cve_report | ||
| path: 'cve-bin-tool-report.html' |