From 615666c5d985e6a2b5e203b506e5289af3b5ef19 Mon Sep 17 00:00:00 2001 From: Trilok Khairnar <214651+cruizen@users.noreply.github.com> Date: Thu, 26 Oct 2023 16:20:20 +0530 Subject: [PATCH 1/3] Create trivy.yml GitHub action workflow for Trivy scan --- .github/workflows/trivy.yml | 48 +++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000..46585b0 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,48 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +name: trivy + +on: + push: + branches: [ "master", "platform9-v*" ] + pull_request: + # The branches below must be a subset of the branches above + branches: [ "master" ] + schedule: + - cron: '15 7 * * 5' + +permissions: + contents: read + +jobs: + build: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status + name: Build + runs-on: "ubuntu-20.04" + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Build an image from Dockerfile + run: | + docker build -t docker.io/my-organization/my-app:${{ github.sha }} . + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe + with: + image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + severity: 'CRITICAL,HIGH' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' From 6718b04a29b3c8072631285ef9498b90c8664f8e Mon Sep 17 00:00:00 2001 From: Trilok Khairnar <214651+cruizen@users.noreply.github.com> Date: Thu, 26 Oct 2023 23:38:51 +0530 Subject: [PATCH 2/3] Update trivy.yml Update image org:name --- .github/workflows/trivy.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 46585b0..be92e3f 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -31,12 +31,12 @@ jobs: - name: Build an image from Dockerfile run: | - docker build -t docker.io/my-organization/my-app:${{ github.sha }} . + docker build -t docker.io/platform9/vouch:${{ github.sha }} . - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe with: - image-ref: 'docker.io/my-organization/my-app:${{ github.sha }}' + image-ref: 'docker.io/platform9/vouch:${{ github.sha }}' format: 'template' template: '@/contrib/sarif.tpl' output: 'trivy-results.sarif' From 53cdeaa551e8eb98ef0db99a780cc4124e5d6649 Mon Sep 17 00:00:00 2001 From: Trilok Khairnar <214651+cruizen@users.noreply.github.com> Date: Fri, 27 Oct 2023 13:28:08 +0530 Subject: [PATCH 3/3] Update trivy.yml `docker build` was failing since `Dockerfile` is in `./container` and not `.` --- .github/workflows/trivy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index be92e3f..eab1660 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -31,7 +31,7 @@ jobs: - name: Build an image from Dockerfile run: | - docker build -t docker.io/platform9/vouch:${{ github.sha }} . + docker build -t docker.io/platform9/vouch:${{ github.sha }} ./container/ - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe