From a342c3dfdae58a0ba85ed59e4531f5bb3e78a781 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mathias=20R=C3=BChle?= Date: Thu, 30 Mar 2023 02:52:14 +0200 Subject: [PATCH] Scan All Configured Docker Images --- .github/workflows/ci.yml | 51 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 50 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3d73561..2a2376f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -18,8 +18,57 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 - name: Check shell scripts uses: ludeeus/action-shellcheck@master + prepare-security-scan: + runs-on: ubuntu-latest + outputs: + images: ${{ steps.matrixgen.outputs.images }} + steps: + + - uses: actions/checkout@v3 + + - name: Generate Image Test Matrix + id: matrixgen + run: | + echo "images=$( + first=true + echo -n '[' + for i in $(grep -r --include="docker-compose.yml" -Pho 'image: \K(.+)$' | tr -d "\"'" | sort | uniq) + do + if $first + then + first=false + else + echo -n "," + fi + echo -n '"'$i'"' + done + echo ']')" >> "$GITHUB_OUTPUT" + + security-scan: + runs-on: ubuntu-latest + needs: prepare-security-scan + strategy: + fail-fast: false + matrix: + image: ${{ fromJSON(needs.prepare-security-scan.outputs.images) }} + steps: + - name: Run Trivy Vulnerability Scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: ${{ matrix.image }} + format: sarif + exit-code: 1 + ignore-unfixed: true + output: trivy-results.sarif + severity: 'CRITICAL,HIGH' + timeout: '15m0s' + + - name: Upload Trivy Scan Results to GitHub Security Tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: trivy-results.sarif