From c965b0e3c271ef1b14006d88d386dcdd2cd015b2 Mon Sep 17 00:00:00 2001 From: Ralf Nelles <73938413+RalfNellesCap@users.noreply.github.com> Date: Thu, 26 Jan 2023 16:21:32 +0100 Subject: [PATCH] Ops 3814 add image vulnerability scanning (#50) * [OPS-3814] add GHA Trivy cron * [OPS-3814] add trivy cron to BAP action * [OPS-3814] split GHA * [OPS-3814] add GHJA trigger to test * [OPS-3814] add repro matrix * [OPs-3814] fix workflow * add trigger * add trigger other workflow * add workflow call * fix workflow * fix typo * fix action * [OPS-3814] update trivy action version * [OPS-3814] update trivy action version * [OPS-3814] fix error trivy upload * [OPS-3814] add trivy scan options * [OPS-3841] debug option exit code * [OPS-3814] add generic file name * [OPS-3814] add workflow permissions * [OPS-3814] fix trivy workflow permissions * [OPS-3814] fix workflow * [OPS-3814] add exitcode * [OPS-3814] fix trivy action by commit hash * [OPS-3814] reset trivy action to version master * [OPS-3814] fix trivy workflow * [OPS-3814] unset exitcode * [OPS-3814] tidy for master --- .github/workflows/bapontag.yaml | 1 + .github/workflows/trivy-cron.yaml | 33 ++++++++++++++++++++++++++ .github/workflows/trivy-scan.yaml | 39 +++++++++++++++++++++++++++++++ 3 files changed, 73 insertions(+) create mode 100644 .github/workflows/trivy-cron.yaml create mode 100644 .github/workflows/trivy-scan.yaml diff --git a/.github/workflows/bapontag.yaml b/.github/workflows/bapontag.yaml index d7f7cc2..f176b5c 100644 --- a/.github/workflows/bapontag.yaml +++ b/.github/workflows/bapontag.yaml @@ -53,3 +53,4 @@ jobs: push: true tags: ${{ steps.docker_meta_img_hub.outputs.tags }} labels: ${{ steps.docker_meta_img_hub.outputs.labels }} + diff --git a/.github/workflows/trivy-cron.yaml b/.github/workflows/trivy-cron.yaml new file mode 100644 index 0000000..df08389 --- /dev/null +++ b/.github/workflows/trivy-cron.yaml @@ -0,0 +1,33 @@ +--- +name: Docker Image Trivy Image Vulnerability Scan Cron Job +on: + schedule: + # Runs "at 2 a.m. past every day" (see https://crontab.guru) + - cron: '0 2 * * *' +permissions: + # required for all workflows + security-events: write + # only required for workflows in private repositories + actions: read + contents: read + +# Multi Image Repro GHA +jobs: + trivy_image_scan_cron: + strategy: + matrix: + image: + - infra-tools + - dbcmetrics + - awx-ee + uses: hpi-schul-cloud/infra-tools/.github/workflows/trivy-scan.yaml@master + with: + image-ref: 'docker.io/schulcloud/${{ matrix.image }}:latest' + +# Template Single Image Repro GHA +# jobs: +# trivy_image_scan_cron: +# uses: hpi-schul-cloud/infra-tools/.github/workflows/trivy-scan.yaml@OPS-3814-add-Image-Vulnerability-Scanning +# # uses: hpi-schul-cloud/infra-tools/.github/workflows/trivy-scan.yaml@master +# with: +# image-ref: 'docker.io/schulcloud/:latest' diff --git a/.github/workflows/trivy-scan.yaml b/.github/workflows/trivy-scan.yaml new file mode 100644 index 0000000..409774e --- /dev/null +++ b/.github/workflows/trivy-scan.yaml @@ -0,0 +1,39 @@ +--- +name: Trivy Image Vulnerability Scann Job +on: + workflow_call: + inputs: + image-ref: + description: "repository image reference" + required: true + type: string + +jobs: + build: + name: Build + runs-on: ubuntu-20.04 + permissions: + # required for all workflows + security-events: write + # only required for workflows in private repositories + actions: read + contents: read + steps: + - name: Run Trivy vulnerability scanner + # Third-party action, pin to commit SHA! + # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions + # Breaking API Aqua Security Trivy Action 0.8.0 + uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 + with: + image-ref: ${{ inputs.image-ref }} + format: 'sarif' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + # exit-code: 1 + ignore-unfixed: true + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + if: always() + with: + sarif_file: 'trivy-results.sarif' \ No newline at end of file