Scan All Configured Docker Images

medizininformatik-initiative · Nov 21, 2024 · b692b33 · b692b33
1 parent 5814031
commit b692b33
Showing 1 changed file with 66 additions and 0 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -73,3 +73,69 @@ jobs:
       run: |
         ACCESS_TOKEN="$(feasibility-triangle/get-fhir-server-access-token.sh)"
         .github/scripts/test-consent-queries.sh https://fhir.localhost:444/fhir "$ACCESS_TOKEN" feasibility-triangle/auth/cert.pem
+
+  prepare-security-scan:
+    runs-on: ubuntu-latest
+    outputs:
+      images: ${{ steps.matrixgen.outputs.images }}
+    steps:
+
+      - uses: actions/checkout@v4
+
+      - name: Generate Image Test Matrix
+        id: matrixgen
+        run: |
+          echo "images=$(
+            first=true
+            echo -n '['
+            for i in $(grep -r --include="*docker-compose.yml" -Pho 'image: \K(.+)$' | tr -d "\"'" | sort | uniq)
+            do
+              if $first
+              then
+                first=false
+              else
+                echo -n ","
+              fi
+              echo -n '"'$i'"'
+            done
+            echo ']')" >> "$GITHUB_OUTPUT"
+
+  security-scan:
+    runs-on: ubuntu-latest
+    needs: prepare-security-scan
+    strategy:
+      fail-fast: false
+      matrix:
+        image: ${{ fromJSON(needs.prepare-security-scan.outputs.images) }}
+    steps:
+      - name: Run Trivy Vulnerability Scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ matrix.image }}
+          exit-code: 1
+          ignore-unfixed: true
+          severity: 'CRITICAL,HIGH'
+          timeout: '15m0s'
+
+  security-scan-upload:
+    runs-on: ubuntu-latest
+    needs: prepare-security-scan
+    strategy:
+      fail-fast: false
+      matrix:
+        image: ${{ fromJSON(needs.prepare-security-scan.outputs.images) }}
+    steps:
+      - name: Run Trivy Vulnerability Scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ matrix.image }}
+          format: sarif
+          ignore-unfixed: true
+          output: trivy-results.sarif
+          severity: 'CRITICAL,HIGH'
+          timeout: '15m0s'
+
+      - name: Upload Trivy Scan Results to GitHub Security Tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: trivy-results.sarif