Merge pull request #1120 from eclipse-tractusx/chore/trivy-main

CICD: build local images for scheduled trivy checks
eclipse-tractusx · Nov 22, 2024 · 7acc7f9 · 7acc7f9
2 parents 87d8c9c + 86493a3
commit 7acc7f9
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 207 deletions.
diff --git a/.github/workflows/app-test-trivy-all.yaml b/.github/workflows/app-test-trivy-all.yaml
diff --git a/.github/workflows/app-test-trivy.yaml b/.github/workflows/app-test-trivy.yaml
@@ -17,28 +17,20 @@
 # SPDX-License-Identifier: Apache-2.0
 ################################################################################
 
-name: Perform Trivy Scan on App
+name: 'Perform Trivy Scan on All Apps'
 on:
   workflow_dispatch:
-    inputs:
-      app:
-        description: 'The name of the BPDM app to scan'
-        type: choice
-        required: true
-        options:
-          - pool
-          - gate
-          - orchestrator
-          - cleaning-service-dummy
   workflow_call:
-    inputs:
-      app:
-        description: 'The name of the BPDM app to scan'
-        type: string
-        required: true
+  pull_request:
+    branches:
+      - main
+      - 'release/**'
 jobs:
-  scan:
+  scan-image:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        app: [pool, gate, orchestrator, cleaning-service-dummy]
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -50,14 +42,14 @@ jobs:
         uses: docker/build-push-action@v6
         with:
           context: .
-          file: docker/${{ inputs.app }}/Dockerfile
-          tags: bpdm-${{ inputs.app }}:test
+          file: docker/${{ matrix.app }}/Dockerfile
+          tags: bpdm-${{ matrix.app }}:test
           load: true
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.28.0
+        uses: aquasecurity/trivy-action@0.29.0
         with:
-          image-ref: "bpdm-${{ inputs.app }}:test"
+          image-ref: "bpdm-${{ matrix.app }}:test"
           exit-code: "1"
           severity: "CRITICAL,HIGH"
-          timeout: 15m
+          timeout: 15m
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -26,169 +26,51 @@ on:
   push:
     branches:
       - main
+      - 'release/**'
   schedule:
     # Once a day
     - cron: "0 0 * * *"
   # Trigger manually
   workflow_dispatch:
 
 jobs:
-  analyze-config:
+  scan-app:
     runs-on: ubuntu-latest
     permissions:
       actions: read
       contents: read
       security-events: write
-
+    strategy:
+      matrix:
+        app: [pool, gate, orchestrator, cleaning-service-dummy]
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
-      - name: Run Trivy vulnerability scanner in repo mode
-        uses: aquasecurity/[email protected]
-        with:
-          scan-type: "config"
-          # ignore-unfixed: true
-          exit-code: "0"
-          hide-progress: false
-          format: "sarif"
-          output: "trivy-results1.sarif"
-          severity: "CRITICAL,HIGH"
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
 
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
+      - name: Build App Image
+        uses: docker/build-push-action@v6
         with:
-          sarif_file: "trivy-results1.sarif"
-
-  analyze-product-bpdm-pool:
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-      packages: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
+          context: .
+          file: docker/${{ matrix.app }}/Dockerfile
+          tags: bpdm-${{ matrix.app }}:test
+          load: true
 
       - name: Run Trivy vulnerability scanner
-        if: always()
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/[email protected]
         with:
-          # Path to Docker image
-          image-ref: "docker.io/tractusx/bpdm-pool:latest"
+          image-ref: "bpdm-${{ matrix.app }}:test"
           format: "sarif"
-          output: "trivy-results2.sarif"
-          exit-code: "0"
+          output: "trivy-${{ matrix.app }}-results.sarif"
           severity: "CRITICAL,HIGH"
-          timeout: 15m
-        env:
-          TRIVY_USERNAME: ${{ github.actor }}
-          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        if: always()
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: "trivy-results2.sarif"
-
-  analyze-product-bpdm-gate:
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-      packages: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Run Trivy vulnerability scanner
-        if: always()
-        uses: aquasecurity/[email protected]
-        with:
-          # Path to Docker image
-          image-ref: "docker.io/tractusx/bpdm-gate:latest"
-          format: "sarif"
-          output: "trivy-results3.sarif"
-          exit-code: "0"
-          severity: "CRITICAL,HIGH"
-          timeout: 15m
-        env:
-          TRIVY_USERNAME: ${{ github.actor }}
-          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        if: always()
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: "trivy-results3.sarif"
-
-  analyze-product-bpdm-cleaning-service-dummy:
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-      packages: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Run Trivy vulnerability scanner
-        if: always()
-        uses: aquasecurity/[email protected]
-        with:
-          # Path to Docker image
-          image-ref: "docker.io/tractusx/bpdm-cleaning-service-dummy:latest"
-          format: "sarif"
-          output: "trivy-results4.sarif"
-          exit-code: "0"
-          severity: "CRITICAL,HIGH"
-          timeout: 15m
-        env:
-          TRIVY_USERNAME: ${{ github.actor }}
-          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        if: always()
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: "trivy-results4.sarif"
-
-  analyze-product-bpdm-orchestrator:
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-      packages: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Run Trivy vulnerability scanner
-        if: always()
-        uses: aquasecurity/[email protected]
-        with:
-          # Path to Docker image
-          image-ref: "docker.io/tractusx/bpdm-orchestrator:latest"
-          format: "sarif"
-          output: "trivy-results4.sarif"
-          exit-code: "0"
-          severity: "CRITICAL,HIGH"
-          timeout: 15m
-        env:
-          TRIVY_USERNAME: ${{ github.actor }}
-          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+          hide-progress: false
+          exit-code: "1"
+          limit-severities-for-sarif: true
 
       - name: Upload Trivy scan results to GitHub Security tab
         if: always()
         uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: "trivy-results4.sarif"
+          sarif_file: "trivy-${{ matrix.app }}-results.sarif"