-
Notifications
You must be signed in to change notification settings - Fork 2
120 lines (109 loc) · 4.89 KB
/
Copy pathvulnerability-scan.yml
File metadata and controls
120 lines (109 loc) · 4.89 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
# Trivy filesystem scan. Adapted from upstream
# opencost/opencost/.github/workflows/vulnerability-scan.yaml with
# branch (develop) adjusted and supply-chain tightening applied:
#
# - actions/* pinned to SHA (upstream pins by tag). SHAs match the
# ones already used by scorecard.yml here.
# - Trivy is installed from a pinned release tarball with a
# SHA256-verified checksum rather than `curl | sh`. Mirrors the
# install pattern used by airgap-e2e.yml (helm, kind, crane, oras).
# - Workflow- and job-scoped `permissions:` pared down to the
# minimum: `contents: read` for checkout, `security-events: write`
# for SARIF upload. `issues: write` (inherited from upstream) is
# dropped — no step in this workflow creates or updates issues.
#
# Fails the build on CRITICAL or HIGH findings (`--exit-code 1
# --severity CRITICAL,HIGH`), matching upstream. This complements
# `govulncheck` (Go module graph only); Trivy adds container-layer
# coverage.
name: Trivy Vulnerability Scanner
permissions:
contents: read
on:
pull_request:
branches:
- develop
push:
branches:
- develop
merge_group:
types: [checks_requested]
env:
# Pinned Trivy release. Bump deliberately — a version change here
# shifts the vulnerability database baseline for every subsequent
# scan, and the SHA256 verification below is keyed on this version.
TRIVY_VERSION: "0.58.0"
jobs:
scan:
name: Scan for Vulnerabilities
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
- name: Install Trivy
run: |
set -euo pipefail
curl -fsSL -o /tmp/trivy.tar.gz \
"https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
curl -fsSL -o /tmp/trivy.checksums.txt \
"https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_checksums.txt"
# Filter the multi-artefact checksums file down to the
# tarball we actually downloaded, rewrite the filename to
# match our local path, then verify.
grep "trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz$" /tmp/trivy.checksums.txt \
| sed "s/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz$/trivy.tar.gz/" \
> /tmp/trivy.sha256sum
( cd /tmp && sha256sum -c trivy.sha256sum )
tar -xzf /tmp/trivy.tar.gz -C /tmp trivy
sudo install -m 0755 /tmp/trivy /usr/local/bin/trivy
trivy --version
- name: Run Trivy scan
id: trivy-scan
continue-on-error: true
run: |
set -euo pipefail
# SARIF output uses Trivy's built-in `--format sarif`, which
# does not require a template file path on disk — simpler
# and more robust than the `@/contrib/sarif.tpl` reference
# used by the install.sh-based upstream workflow.
trivy fs \
--format sarif \
--output trivy-results.sarif \
--severity CRITICAL,HIGH \
--vuln-type os,library \
--no-progress .
# Second pass emits JSON and fails the step on findings so
# the downstream "Print vulnerability details" step can
# summarise them.
trivy fs \
--format json \
--output trivy-results.json \
--severity CRITICAL,HIGH \
--vuln-type os,library \
--no-progress \
--exit-code 1 .
- name: Upload Trivy JSON report as artifact
if: steps.trivy-scan.outcome == 'failure'
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: trivy-json-report
path: trivy-results.json
retention-days: 1
- name: Upload SARIF to GitHub Security tab
if: always()
uses: github/codeql-action/upload-sarif@v4 # TODO: resolve to SHA before first release
with:
sarif_file: 'trivy-results.sarif'
category: trivy-fs
- name: Print vulnerability details and fail job
if: steps.trivy-scan.outcome == 'failure'
run: |
echo "Trivy scan found CRITICAL or HIGH severity vulnerabilities. Details:"
echo "--------------------------------------------------------------------"
# Parse the JSON report and print a summary of each vulnerability
jq -r '.Results[] | .Target as $target | if .Vulnerabilities then .Vulnerabilities[] | "File: \($target)\nPackage: \(.PkgName) (\(.InstalledVersion))\nID: \(.VulnerabilityID)\nSeverity: \(.Severity)\nLink: \(.PrimaryURL)\n--------------------------------------------------------------------" else empty end' trivy-results.json
# Exit with a failure code to fail the workflow
exit 1