-
Notifications
You must be signed in to change notification settings - Fork 12
137 lines (115 loc) · 4.11 KB
/
ci-vulnerability-scans.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
# GitHub Actions CI workflow that runs vulnerability scans on the application's Docker image
# to ensure images built are secure before they are deployed.
# NOTE: The workflow isn't able to pass the docker image between jobs, so each builds the image.
# A future PR will pass the image between the scans to reduce overhead and increase speed
name: CI Vulnerability Scans
on:
push:
branches:
- main
paths:
- app/**
- .grype.yml
- .hadolint.yaml
- .trivyignore
- .github/workflows/ci-vulnerability-scans.yml
pull_request:
paths:
- app/**
- .grype.yml
- .hadolint.yaml
- .trivyignore
- .github/workflows/ci-vulnerability-scans.yml
jobs:
hadolint-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
# Scans Dockerfile for any bad practices or issues
- name: Scan Dockerfile by hadolint
uses: hadolint/[email protected]
with:
dockerfile: app/Dockerfile
format: tty
failure-threshold: warning
output-file: hadolint-results.txt
- name: Save output to workflow summary
if: always() # Runs even if there is a failure
run: |
cat hadolint-results.txt >> $GITHUB_STEP_SUMMARY
trivy-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build and tag Docker image for scanning
id: build-image
run: |
make release-build
IMAGE_NAME=$(make release-image-name)
IMAGE_TAG=$(make release-image-tag)
echo "image=$IMAGE_NAME:$IMAGE_TAG" >> $GITHUB_OUTPUT
- name: Run Trivy vulnerability scan
uses: aquasecurity/trivy-action@master
with:
scan-type: image
image-ref: ${{ steps.build-image.outputs.image }}
format: table
exit-code: 1
ignore-unfixed: true
vuln-type: os
scanners: vuln,secret
- name: Save output to workflow summary
if: always() # Runs even if there is a failure
run: |
echo "View results in GitHub Action logs" >> $GITHUB_STEP_SUMMARY
anchore-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build and tag Docker image for scanning
id: build-image
run: |
make release-build
IMAGE_NAME=$(make release-image-name)
IMAGE_TAG=$(make release-image-tag)
echo "image=$IMAGE_NAME:$IMAGE_TAG" >> $GITHUB_OUTPUT
- name: Run Anchore vulnerability scan
uses: anchore/scan-action@v3
with:
image: ${{ steps.build-image.outputs.image }}
output-format: table
- name: Save output to workflow summary
if: always() # Runs even if there is a failure
run: |
echo "View results in GitHub Action logs" >> $GITHUB_STEP_SUMMARY
dockle-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build and tag Docker image for scanning
id: build-image
run: |
make release-build
IMAGE_NAME=$(make release-image-name)
IMAGE_TAG=$(make release-image-tag)
echo "image=$IMAGE_NAME:$IMAGE_TAG" >> $GITHUB_OUTPUT
# Dockle doesn't allow you to have an ignore file for the DOCKLE_ACCEPT_FILES
# variable, this will save the variable in this file to env for Dockle
- name: Set any acceptable Dockle files
run: |
if grep -q "^DOCKLE_ACCEPT_FILES=.*" .dockleconfig; then
grep -s '^DOCKLE_ACCEPT_FILES=' .dockleconfig >> $GITHUB_ENV
fi
- name: Run Dockle container linter
uses: erzz/[email protected]
with:
image: ${{ steps.build-image.outputs.image }}
exit-code: '1'
failure-threshold: WARN
accept-filenames: ${{ env.DOCKLE_ACCEPT_FILES }}
- name: Save output to workflow summary
if: always() # Runs even if there is a failure
run: |
echo "```json" >> $GITHUB_STEP_SUMMARY
cat dockle-report.json >> $GITHUB_STEP_SUMMARY
echo "```" >> $GITHUB_STEP_SUMMARY