Scan All Configured Docker Images

medizininformatik-initiative · Mar 30, 2023 · a342c3d · a342c3d
1 parent e838106
commit a342c3d
Showing 1 changed file with 50 additions and 1 deletion.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -18,8 +18,57 @@ jobs:
     steps:
 
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     - name: Check shell scripts
       uses: ludeeus/action-shellcheck@master
 
+  prepare-security-scan:
+    runs-on: ubuntu-latest
+    outputs:
+      images: ${{ steps.matrixgen.outputs.images }}
+    steps:
+
+      - uses: actions/checkout@v3
+
+      - name: Generate Image Test Matrix
+        id: matrixgen
+        run: |
+          echo "images=$(
+            first=true
+            echo -n '['
+            for i in $(grep -r --include="docker-compose.yml" -Pho 'image: \K(.+)$' | tr -d "\"'" | sort | uniq)
+            do
+              if $first
+              then
+                first=false
+              else
+                echo -n ","
+              fi
+              echo -n '"'$i'"'
+            done
+            echo ']')" >> "$GITHUB_OUTPUT"
+
+  security-scan:
+    runs-on: ubuntu-latest
+    needs: prepare-security-scan
+    strategy:
+      fail-fast: false
+      matrix:
+        image: ${{ fromJSON(needs.prepare-security-scan.outputs.images) }}
+    steps:
+      - name: Run Trivy Vulnerability Scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ matrix.image }}
+          format: sarif
+          exit-code: 1
+          ignore-unfixed: true
+          output: trivy-results.sarif
+          severity: 'CRITICAL,HIGH'
+          timeout: '15m0s'
+
+      - name: Upload Trivy Scan Results to GitHub Security Tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: trivy-results.sarif