Skip to content

Commit

Permalink
feat: add trivy vulnerability check
Browse files Browse the repository at this point in the history
Trivy vulnerability check is added the GitHub Actions workflows.

ING-4183
  • Loading branch information
emanuelaepure10 committed Apr 25, 2024
1 parent 829ef63 commit 1bab9bf
Show file tree
Hide file tree
Showing 2 changed files with 166 additions and 0 deletions.
122 changes: 122 additions & 0 deletions .github/workflows/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
name: Vulnerability scan

on:
pull_request:
branches:
#- '*' # Trigger on all branches for pull requests
- feat/ING-4183
workflow_dispatch:
inputs:
image-ref:
description: 'Image to scan (if not specified an fs scan is done)'
required: false
default: ''
junit-test-output:
description: 'Location to write JUnit test report to'
required: false
default: ''
create-test-report:
description: 'If a JUnit test report should be created by the action (otherwise it is assumed the report is handled outside of the action)'
required: false
default: 'false' # Note: Action inputs are always of type string
fail-for:
description: 'Issue types to fail for if they are present (added to JUnit report)'
default: 'CRITICAL'
report-retention-days:
description: 'Number of days to retain the HTML report'
default: '30'
report-tag:
description: 'Custom tag for report file, discern multiple reports created in the same run. By default, the job ID is used'
default: ''
check-image-user:
description: 'If the user of the Docker image should be checked to be non-root'
default: 'true' # Note: Action inputs are always of type string

jobs:
build:
runs-on: ubuntu-latest

steps:
#
# Check Docker image user
#
- name: 'Check Docker image user'
uses: 'wetransform/gha-docker-nonroot@master'
if: ${{ inputs.check-image-user == 'true' && inputs.image-ref != '' && (inputs.junit-test-output != '' || inputs.create-test-report) }}
with:
image-ref: ${{ inputs.image-ref }}
fail-for-root: false # Rather use JUnit report
create-junit-output: false
junit-test-output: ${{ inputs.junit-test-output != '' && inputs.junit-test-output || 'trivy.xml' }}-user-check.xml

#
# Scan for security vulnerabilities
#
- name: 'Scan Docker image for critical vulnerabilities'
uses: 'aquasecurity/[email protected]'
if: ${{ inputs.junit-test-output != '' || inputs.create-test-report }}
with:
image-ref: '${{ inputs.image-ref }}'
scan-type: ${{ inputs.image-ref != '' && 'image' || 'fs' }}
format: 'template'
template: '@/contrib/junit.tpl'
output: ${{ inputs.junit-test-output != '' && inputs.junit-test-output || 'trivy.xml' }}
ignore-unfixed: true
vuln-type: 'os,library'
severity: ${{ inputs.fail-for }}

- name: 'Determine report file name'
shell: bash
run: |
INPUT_STRING="${{ inputs.report-tag != '' && inputs.report-tag || github.job }}-trivy.html"
VALID_FILENAME=$(echo "$INPUT_STRING" | sed 's/[^A-Za-z0-9_.-]/_/g')
echo "REPORT_FILENAME=$VALID_FILENAME" >> $GITHUB_ENV
- name: 'Create vulnerability report as HTML'
uses: 'aquasecurity/[email protected]'
with:
image-ref: '${{ inputs.image-ref }}'
scan-type: ${{ inputs.image-ref != '' && 'image' || 'fs' }}
format: 'template'
template: '@/contrib/html.tpl'
output: ${{ env.REPORT_FILENAME }}

- name: 'Upload vulnerability report'
uses: 'actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32'
if: always()
with:
name: 'Vulnerability report (HTML)'
path: ${{ env.REPORT_FILENAME }}
retention-days: ${{ inputs.report-retention-days }}

- name: 'Copy vulnerability summary template'
shell: bash
run: |
cp ${GITHUB_ACTION_PATH}/summary.tpl ./trivy-summary.tpl
- name: 'Create summary on vulnerabilities'
uses: 'aquasecurity/[email protected]'
with:
image-ref: '${{ inputs.image-ref }}'
scan-type: ${{ inputs.image-ref != '' && 'image' || 'fs' }}
format: 'template'
template: '@trivy-summary.tpl'
output: 'trivy.md'

- name: 'Add to job summary'
shell: bash
run: |
echo "### Vulnerability summary (${{ inputs.image-ref != '' && inputs.image-ref || 'fs' }})" >> $GITHUB_STEP_SUMMARY
cat trivy.md >> $GITHUB_STEP_SUMMARY
#
# Report on unit tests and critical vulnerabilities
#
- name: 'Publish Test Report'
uses: 'mikepenz/action-junit-report@150e2f992e4fad1379da2056d1d1c279f520e058'
if: ${{ always() && inputs.create-test-report == 'true' }}
with:
report_paths: ${{ inputs.junit-test-output != '' && inputs.junit-test-output || 'trivy.xml' }}*
fail_on_failure: true
annotate_only: true
detailed_summary: true
44 changes: 44 additions & 0 deletions .github/workflows/trivy.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
name: 'Scan CI Pipeline (w/ Trivy Config)'

on:
pull_request:
branches:
- '*'

jobs:
build:
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Setup Maven
uses: s4u/[email protected]
with:
java-version: 17
java-distribution: temurin
maven-version: 3.8.6

- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
# trivy-config: trivy.yaml

# Upload Trivy scan results to GitHub Security tab
#- name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: 'trivy-scan-results.sarif'

- name: Upload Trivy scan results
uses: actions/upload-artifact@v2
with:
name: trivy-results
path: trivy-results.json

- name: Display Trivy results
run: cat trivy-results.json
if: success() && always()

0 comments on commit 1bab9bf

Please sign in to comment.