Skip to content

Vulnerability and Misconfiguration Scan #719

Vulnerability and Misconfiguration Scan

Vulnerability and Misconfiguration Scan #719

Workflow file for this run

# Copyright (c) 2022 Contributors to the Eclipse Foundation
#
# See the NOTICE file(s) distributed with this work for additional
# information regarding copyright ownership.
#
# This program and the accompanying materials are made available under the
# terms of the Eclipse Public License 2.0 which is available at
# http://www.eclipse.org/legal/epl-2.0
#
# SPDX-License-Identifier: EPL-2.0
#
# Scan repository and containers for security vulnerabilities, secrets and
# misconfigurations.
name: Vulnerability and Misconfiguration Scan
on:
schedule:
# run every night at 4:11 AM (UTC)
- cron: '11 4 * * *'
# enable running the workflow manually
workflow_dispatch:
jobs:
scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Maven
uses: stCarolas/setup-maven@v5
with:
maven-version: 3.8.8
- name: Set up JDK
uses: actions/setup-java@v4
with:
distribution: "temurin"
java-version: "17"
cache: "maven"
- name: Create Hono container images
run: |
mvn clean install -B -e -DCI=$CI -DskipTests -Pbuild-docker-image,metrics-prometheus
- name: Determine most recent Trivy version
run: |
echo "TRIVY_VERSION=$(wget -qO - 'https://api.github.com/repos/aquasecurity/trivy/releases/latest' | \
grep '\"tag_name\":' | sed -E 's/.*\"v([^\"]+)\".*/\1/')" >> $GITHUB_ENV
- name: Install Trivy
run: |
wget --no-verbose https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz -O - | tar -zxvf -
- name: Scan Docker images
run: |
mkdir -p scans/eclipse
for IMAGE in $(docker image ls --format "{{.Repository}}:{{.Tag}}" "eclipse/hono-*"); do
echo "Scanning image ${IMAGE} ..."
./trivy image "${IMAGE}" --timeout 15m0s --ignore-unfixed --severity HIGH,CRITICAL --output "scans/$IMAGE.sarif" --format sarif
done
- name: Upload Docker image scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'scans/eclipse'
category: "Container Images"