Skip to content

Commit

Permalink
feat: add trivy vulnerability check
Browse files Browse the repository at this point in the history 
Trivy vulnerability check is added the GitHub Actions workflows.

ING-4183
  • Loading branch information
@emanuelaepure10
emanuelaepure10 committed Apr 22, 2024
1 parent 1190433 commit 57e3b97
Show file tree
Hide file tree
Showing 3 changed files with 160 additions and 36 deletions.
117 changes: 81 additions & 36 deletions .github/workflows/check.yml
View file
Original file line number Diff line number Diff line change
@@ -1,43 +1,88 @@
name: Check
name: Pull Request Workflow

# XXX disabled for now because we use Jenkins still, but at the time this was tested it was functional
# on:
# pull_request:
# branches: [ master ]
on:
push:
branches:
#- '*' # Trigger on all branches for pull requests
- feat/ING-4183
workflow_dispatch: {}

jobs:
check:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

# Note: Actually we don't need Maven CLI, only Java 17, but this may have additional benefits due to the Maven cache
- name: Setup Maven
uses: s4u/setup-maven-action@4fdbe2a6a718a03bf4874636eed4311886cab6ba # v1.5.1
with:
java-version: 17
java-distribution: temurin
maven-version: 3.8.6

- name: Clean
run: ./build.sh clean
working-directory: ./build

- name: Test (commitStage)
run: ./build.sh commitStage
# run: ./build.sh integrationStage
working-directory: ./build

# https://github.com/marketplace/actions/junit-report-action
- name: Publish Test Report
uses: mikepenz/action-junit-report@9379f0ccddcab154835d4e2487555ee79614fe95 # v4.2.1
if: always() # always run even if the previous step fails
with:
report_paths: 'build/target/testReports/*.xml'

# TODO allure report?
# build/target/allure-results

# TODO archive logs?
# build/target/testReports/*.out,build/target/testReports/*.err
- name: Checkout code
uses: actions/checkout@v4

- name: Setup Maven
uses: s4u/[email protected]
with:
java-version: 17
java-distribution: temurin
maven-version: 3.8.6


- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_PASSWORD }}

# Build Docker image
- name: Build Docker image
run: docker build -t halestudio-docker-image .

# Push Docker image to a registry (optional)
- name: Push Docker image
run: |
echo "${{ secrets.DOCKER_HUB_PASSWORD }}" | docker login -u ${{ secrets.DOCKER_HUB_USERNAME }} --password-stdin
docker push halestudio-docker-image
# Scan Docker image using Trivy
- name: Scan Docker image for vulnerabilities
uses: aquasecurity/[email protected]
with:
image-ref: 'halestudio-docker-image'
scan-type: 'image'
format: 'template'
template: '/junit.tpl'
output: 'trivy-scan-results.xml'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL'

# Upload Trivy scan results to GitHub Security tab
#- name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: 'trivy-scan-results.sarif'

- name: Upload Trivy scan results
uses: actions/upload-artifact@v2
with:
name: trivy-results
path: trivy-results.json

- name: Clean
run: ./build.sh clean
working-directory: ./build

- name: Test
run: ./build.sh commitStage
working-directory: ./build

- name: Publish Test Report
uses: mikepenz/action-junit-report@v4
if: always() # always run even if the previous step fails
with:
# fail if there are no test results
require_tests: true

# Workaround for check that is additionally created being associated
# to the wrong workflow/run. Instead no additional check is created.
# See https://github.com/mikepenz/action-junit-report/issues/40
annotate_only: true
detailed_summary: true
report_paths: 'build/target/testReports/*.xml'

63 changes: 63 additions & 0 deletions .github/workflows/trivy.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
name: Pull Request Workflow

on:
push:
branches:
#- '*' # Trigger on all branches for pull requests
- feat/ING-4183

jobs:
build:
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v4

- name: Setup Maven
uses: s4u/[email protected]
with:
java-version: 17
java-distribution: temurin
maven-version: 3.8.6

- name: Login to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_PASSWORD }}

# Build Docker image
- name: Build Docker image
run: docker build -t halestudio-docker-image .

# Push Docker image to a registry (optional)
- name: Push Docker image
run: |
echo "${{ secrets.DOCKER_HUB_PASSWORD }}" | docker login -u ${{ secrets.DOCKER_HUB_USERNAME }} --password-stdin
docker push halestudio-docker-image
# Scan Docker image using Trivy
- name: Scan Docker image for vulnerabilities
uses: aquasecurity/[email protected]
with:
image-ref: 'halestudio-docker-image'
scan-type: 'image'
format: 'template'
template: '/junit.tpl'
output: 'trivy-scan-results.xml'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL'

# Upload Trivy scan results to GitHub Security tab
#- name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: 'trivy-scan-results.sarif'

- name: Upload Trivy scan results
uses: actions/upload-artifact@v2
with:
name: trivy-results
path: trivy-results.json
16 changes: 16 additions & 0 deletions junit.tpl
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{{- range .Results }}
<testsuite name="{{ .Target }}" tests="{{ len .Vulnerabilities }}">
{{- range .Vulnerabilities }}
<testcase name="{{ .VulnerabilityID }}">
<failure type="Vulnerability">
<![CDATA[
{{ .VulnerabilityID }}: {{ .Title }}
Description: {{ .Description }}
Severity: {{ .Severity }}
Package: {{ .PkgName }} ({{ .InstalledVersion }})
]]>
</failure>
</testcase>
{{- end }}
</testsuite>
{{- end }}

0 comments on commit 57e3b97

Please sign in to comment.