feat: Add Trivy scanner to the pipeline #447
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Verify Images | |
on: | |
pull_request: | |
branches: | |
- main | |
env: | |
REPO: "owasp/modsecurity-crs" | |
# sha256sum format: <hash><space><format (space for text)><file name> | |
MODSECURITY_RECOMMENDED: "ccff8ba1f12428b34ff41960d8bf773dd9f62b9a7c77755247a027cb01896d4f modsecurity.conf-recommended" | |
jobs: | |
prepare: | |
runs-on: ubuntu-latest | |
outputs: | |
targets: ${{ steps.generate.outputs.targets }} | |
repo: ${{ steps.metadata.outputs.repo }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: List targets | |
id: generate | |
uses: docker/bake-action/subaction/list-targets@v4 | |
- name: Check modsecurity recommended | |
run: | | |
curl -sSL https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/modsecurity.conf-recommended -o modsecurity.conf-recommended | |
echo '${{ env.MODSECURITY_RECOMMENDED }}' > sha256sum.txt | |
sha256sum -c sha256sum.txt | |
# The environment variable is not accessible in the context of "with" section | |
- name: Set a repo output | |
id: metadata | |
run: echo "repo=${REPO}" >> "$GITHUB_OUTPUT" | |
build: | |
runs-on: ubuntu-latest | |
needs: | |
- prepare | |
strategy: | |
matrix: | |
target: ${{ fromJson(needs.prepare.outputs.targets) }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 1 | |
# https://github.com/docker/setup-qemu-action | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
# https://github.com/docker/setup-buildx-action | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
with: | |
driver-opts: image=moby/buildkit:master | |
- name: Build images | |
uses: docker/[email protected] | |
with: | |
files: | | |
./docker-bake.hcl | |
targets: ${{ matrix.target }} | |
set: | | |
*.platform=linux/amd64 | |
load: true | |
push: false | |
- name: Scan ${{ matrix.target }} | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: ${{ needs.prepare.outputs.repo }}:${{ matrix.target }} | |
format: 'table' | |
exit-code: '1' | |
ignore-unfixed: true | |
vuln-type: 'os,library' | |
severity: 'CRITICAL,HIGH' | |
scanners: 'vuln,secret' | |
env: | |
TRIVY_SKIP_DB_UPDATE: true | |
# TRIVY_SKIP_JAVA_DB_UPDATE: true | |
- name: Run ${{ matrix.target }} | |
run: | | |
echo "Starting container ${{ matrix.target }}" | |
docker run --pull "never" -d --name ${{ matrix.target }}-test "${REPO}:${{ matrix.target }}" | |
docker logs ${{ matrix.target }}-test | |
- name: Verify ${{ matrix.target }} | |
run: | | |
[ $(docker inspect ${{ matrix.target }}-test --format='{{.State.Running}}') = 'true' ] |