diff --git a/.github/workflows/app-test-trivy-all.yaml b/.github/workflows/app-test-trivy-all.yaml index d40cb4399..b03b88299 100644 --- a/.github/workflows/app-test-trivy-all.yaml +++ b/.github/workflows/app-test-trivy-all.yaml @@ -26,22 +26,30 @@ on: - main - 'release/**' jobs: - scan-pool: - uses: ./.github/workflows/app-test-trivy.yaml - with: - app: pool + scan-image: + runs-on: ubuntu-latest + strategy: + matrix: + app: [pool, gate, orchestrator, cleaning-service-dummy] + steps: + - name: Checkout repository + uses: actions/checkout@v4 - scan-gate: - uses: ./.github/workflows/app-test-trivy.yaml - with: - app: gate + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 - scan-orchestrator: - uses: ./.github/workflows/app-test-trivy.yaml - with: - app: orchestrator + - name: Build App Image + uses: docker/build-push-action@v6 + with: + context: . + file: docker/${{ matrix.app }}/Dockerfile + tags: bpdm-${{ matrix.app }}:test + load: true - scan-cleaning-service-dummy: - uses: ./.github/workflows/app-test-trivy.yaml - with: - app: cleaning-service-dummy + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.29.0 + with: + image-ref: "bpdm-${{ matrix.app }}:test" + exit-code: "1" + severity: "CRITICAL,HIGH" + timeout: 15m diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index e244bcf85..603abd418 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -26,6 +26,7 @@ on: push: branches: - main + - 'release/**' schedule: # Once a day - cron: "0 0 * * *" @@ -33,162 +34,43 @@ on: workflow_dispatch: jobs: - analyze-config: + scan-app: runs-on: ubuntu-latest permissions: actions: read contents: read security-events: write - + strategy: + matrix: + app: [pool, gate, orchestrator, cleaning-service-dummy] steps: - name: Checkout repository uses: actions/checkout@v4 - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@0.28.0 - with: - scan-type: "config" - # ignore-unfixed: true - exit-code: "0" - hide-progress: false - format: "sarif" - output: "trivy-results1.sarif" - severity: "CRITICAL,HIGH" + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - if: always() + - name: Build App Image + uses: docker/build-push-action@v6 with: - sarif_file: "trivy-results1.sarif" - - analyze-product-bpdm-pool: - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - packages: read - - steps: - - name: Checkout repository - uses: actions/checkout@v4 + context: . + file: docker/${{ matrix.app }}/Dockerfile + tags: bpdm-${{ matrix.app }}:test + load: true - name: Run Trivy vulnerability scanner - if: always() - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@0.29.0 with: - # Path to Docker image - image-ref: "docker.io/tractusx/bpdm-pool:latest" + image-ref: "bpdm-${{ matrix.app }}:test" format: "sarif" - output: "trivy-results2.sarif" - exit-code: "0" + output: "trivy-${{ matrix.app }}-results.sarif" severity: "CRITICAL,HIGH" - timeout: 15m - env: - TRIVY_USERNAME: ${{ github.actor }} - TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - - - name: Upload Trivy scan results to GitHub Security tab - if: always() - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: "trivy-results2.sarif" - - analyze-product-bpdm-gate: - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - packages: read - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Run Trivy vulnerability scanner - if: always() - uses: aquasecurity/trivy-action@0.28.0 - with: - # Path to Docker image - image-ref: "docker.io/tractusx/bpdm-gate:latest" - format: "sarif" - output: "trivy-results3.sarif" - exit-code: "0" - severity: "CRITICAL,HIGH" - timeout: 15m - env: - TRIVY_USERNAME: ${{ github.actor }} - TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - - - name: Upload Trivy scan results to GitHub Security tab - if: always() - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: "trivy-results3.sarif" - - analyze-product-bpdm-cleaning-service-dummy: - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - packages: read - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Run Trivy vulnerability scanner - if: always() - uses: aquasecurity/trivy-action@0.28.0 - with: - # Path to Docker image - image-ref: "docker.io/tractusx/bpdm-cleaning-service-dummy:latest" - format: "sarif" - output: "trivy-results4.sarif" - exit-code: "0" - severity: "CRITICAL,HIGH" - timeout: 15m - env: - TRIVY_USERNAME: ${{ github.actor }} - TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - - - name: Upload Trivy scan results to GitHub Security tab - if: always() - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: "trivy-results4.sarif" - - analyze-product-bpdm-orchestrator: - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - packages: read - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Run Trivy vulnerability scanner - if: always() - uses: aquasecurity/trivy-action@0.28.0 - with: - # Path to Docker image - image-ref: "docker.io/tractusx/bpdm-orchestrator:latest" - format: "sarif" - output: "trivy-results4.sarif" - exit-code: "0" - severity: "CRITICAL,HIGH" - timeout: 15m - env: - TRIVY_USERNAME: ${{ github.actor }} - TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + hide-progress: false + exit-code: "1" + limit-severities-for-sarif: true - name: Upload Trivy scan results to GitHub Security tab if: always() uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: "trivy-results4.sarif" \ No newline at end of file + sarif_file: "trivy-${{ matrix.app }}-results.sarif" \ No newline at end of file