From eaea31524f79a51a42e830d4a95fa5c148ee2d0e Mon Sep 17 00:00:00 2001 From: "hubert.siwik" Date: Sat, 12 Oct 2024 13:02:40 +0200 Subject: [PATCH] feat: Add Trivy scanner to the pipeline --- .github/workflows/cron.yaml | 28 ++++++++++++++++++++++++++++ .github/workflows/verifyimage.yml | 17 +++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 .github/workflows/cron.yaml diff --git a/.github/workflows/cron.yaml b/.github/workflows/cron.yaml new file mode 100644 index 0000000..464e644 --- /dev/null +++ b/.github/workflows/cron.yaml @@ -0,0 +1,28 @@ +# In your scan workflow, set TRIVY_SKIP_DB_UPDATE=true. +name: Update the trivy cache + +on: + schedule: + - cron: '0 0 * * *' # Run daily at midnight UTC + workflow_dispatch: # Allow manual triggering + +jobs: + update-trivy-db: + runs-on: ubuntu-latest + steps: + - name: Get current date + id: date + run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT + + - name: Download and extract the vulnerability DB + run: | + mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db + oras pull ghcr.io/aquasecurity/trivy-db:2 + tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db + rm db.tar.gz + + - name: Cache DBs + uses: actions/cache/save@v4 + with: + path: ${{ github.workspace }}/.cache/trivy + key: cache-trivy-${{ steps.date.outputs.date }} diff --git a/.github/workflows/verifyimage.yml b/.github/workflows/verifyimage.yml index 8d785e1..8012c16 100644 --- a/.github/workflows/verifyimage.yml +++ b/.github/workflows/verifyimage.yml @@ -14,6 +14,7 @@ jobs: runs-on: ubuntu-latest outputs: targets: ${{ steps.generate.outputs.targets }} + repo: ${{ steps.metadata.outputs.repo }} steps: - name: Checkout uses: actions/checkout@v4 @@ -25,6 +26,10 @@ jobs: curl -sSL https://raw.githubusercontent.com/owasp-modsecurity/ModSecurity/v3/master/modsecurity.conf-recommended -o modsecurity.conf-recommended echo '${{ env.MODSECURITY_RECOMMENDED }}' > sha256sum.txt sha256sum -c sha256sum.txt + # The environment variable is not accessible in the context of "with" section + - name: Set a repo output + id: metadata + run: echo "repo=${REPO}" >> "$GITHUB_OUTPUT" build: runs-on: ubuntu-latest @@ -60,6 +65,18 @@ jobs: load: true push: false + - name: Scan ${{ matrix.target }} + uses: aquasecurity/trivy-action@0.27.0 + with: + image-ref: ${{ needs.prepare.outputs.repo }}:${{ matrix.target }} + format: 'table' + exit-code: '1' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH,MEDIUM' + env: + TRIVY_SKIP_DB_UPDATE: true + - name: Run ${{ matrix.target }} run: | echo "Starting container ${{ matrix.target }}"