diff --git a/.github/workflows/app-test-trivy-all.yaml b/.github/workflows/app-test-trivy-all.yaml deleted file mode 100644 index d40cb4399..000000000 --- a/.github/workflows/app-test-trivy-all.yaml +++ /dev/null @@ -1,47 +0,0 @@ -################################################################################ -# Copyright (c) 2021,2024 Contributors to the Eclipse Foundation -# -# See the NOTICE file(s) distributed with this work for additional -# information regarding copyright ownership. -# -# This program and the accompanying materials are made available under the -# terms of the Apache License, Version 2.0 which is available at -# https://www.apache.org/licenses/LICENSE-2.0. -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the -# License for the specific language governing permissions and limitations -# under the License. -# -# SPDX-License-Identifier: Apache-2.0 -################################################################################ - -name: 'Perform Trivy Scan on All Apps' -on: - workflow_dispatch: - workflow_call: - pull_request: - branches: - - main - - 'release/**' -jobs: - scan-pool: - uses: ./.github/workflows/app-test-trivy.yaml - with: - app: pool - - scan-gate: - uses: ./.github/workflows/app-test-trivy.yaml - with: - app: gate - - scan-orchestrator: - uses: ./.github/workflows/app-test-trivy.yaml - with: - app: orchestrator - - scan-cleaning-service-dummy: - uses: ./.github/workflows/app-test-trivy.yaml - with: - app: cleaning-service-dummy diff --git a/.github/workflows/app-test-trivy.yaml b/.github/workflows/app-test-trivy.yaml index dd85db79c..b03b88299 100644 --- a/.github/workflows/app-test-trivy.yaml +++ b/.github/workflows/app-test-trivy.yaml @@ -17,28 +17,20 @@ # SPDX-License-Identifier: Apache-2.0 ################################################################################ -name: Perform Trivy Scan on App +name: 'Perform Trivy Scan on All Apps' on: workflow_dispatch: - inputs: - app: - description: 'The name of the BPDM app to scan' - type: choice - required: true - options: - - pool - - gate - - orchestrator - - cleaning-service-dummy workflow_call: - inputs: - app: - description: 'The name of the BPDM app to scan' - type: string - required: true + pull_request: + branches: + - main + - 'release/**' jobs: - scan: + scan-image: runs-on: ubuntu-latest + strategy: + matrix: + app: [pool, gate, orchestrator, cleaning-service-dummy] steps: - name: Checkout repository uses: actions/checkout@v4 @@ -50,14 +42,14 @@ jobs: uses: docker/build-push-action@v6 with: context: . - file: docker/${{ inputs.app }}/Dockerfile - tags: bpdm-${{ inputs.app }}:test + file: docker/${{ matrix.app }}/Dockerfile + tags: bpdm-${{ matrix.app }}:test load: true - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.29.0 with: - image-ref: "bpdm-${{ inputs.app }}:test" + image-ref: "bpdm-${{ matrix.app }}:test" exit-code: "1" severity: "CRITICAL,HIGH" - timeout: 15m \ No newline at end of file + timeout: 15m diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index e244bcf85..603abd418 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -26,6 +26,7 @@ on: push: branches: - main + - 'release/**' schedule: # Once a day - cron: "0 0 * * *" @@ -33,162 +34,43 @@ on: workflow_dispatch: jobs: - analyze-config: + scan-app: runs-on: ubuntu-latest permissions: actions: read contents: read security-events: write - + strategy: + matrix: + app: [pool, gate, orchestrator, cleaning-service-dummy] steps: - name: Checkout repository uses: actions/checkout@v4 - - name: Run Trivy vulnerability scanner in repo mode - uses: aquasecurity/trivy-action@0.28.0 - with: - scan-type: "config" - # ignore-unfixed: true - exit-code: "0" - hide-progress: false - format: "sarif" - output: "trivy-results1.sarif" - severity: "CRITICAL,HIGH" + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - if: always() + - name: Build App Image + uses: docker/build-push-action@v6 with: - sarif_file: "trivy-results1.sarif" - - analyze-product-bpdm-pool: - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - packages: read - - steps: - - name: Checkout repository - uses: actions/checkout@v4 + context: . + file: docker/${{ matrix.app }}/Dockerfile + tags: bpdm-${{ matrix.app }}:test + load: true - name: Run Trivy vulnerability scanner - if: always() - uses: aquasecurity/trivy-action@master + uses: aquasecurity/trivy-action@0.29.0 with: - # Path to Docker image - image-ref: "docker.io/tractusx/bpdm-pool:latest" + image-ref: "bpdm-${{ matrix.app }}:test" format: "sarif" - output: "trivy-results2.sarif" - exit-code: "0" + output: "trivy-${{ matrix.app }}-results.sarif" severity: "CRITICAL,HIGH" - timeout: 15m - env: - TRIVY_USERNAME: ${{ github.actor }} - TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - - - name: Upload Trivy scan results to GitHub Security tab - if: always() - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: "trivy-results2.sarif" - - analyze-product-bpdm-gate: - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - packages: read - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Run Trivy vulnerability scanner - if: always() - uses: aquasecurity/trivy-action@0.28.0 - with: - # Path to Docker image - image-ref: "docker.io/tractusx/bpdm-gate:latest" - format: "sarif" - output: "trivy-results3.sarif" - exit-code: "0" - severity: "CRITICAL,HIGH" - timeout: 15m - env: - TRIVY_USERNAME: ${{ github.actor }} - TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - - - name: Upload Trivy scan results to GitHub Security tab - if: always() - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: "trivy-results3.sarif" - - analyze-product-bpdm-cleaning-service-dummy: - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - packages: read - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Run Trivy vulnerability scanner - if: always() - uses: aquasecurity/trivy-action@0.28.0 - with: - # Path to Docker image - image-ref: "docker.io/tractusx/bpdm-cleaning-service-dummy:latest" - format: "sarif" - output: "trivy-results4.sarif" - exit-code: "0" - severity: "CRITICAL,HIGH" - timeout: 15m - env: - TRIVY_USERNAME: ${{ github.actor }} - TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - - - name: Upload Trivy scan results to GitHub Security tab - if: always() - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: "trivy-results4.sarif" - - analyze-product-bpdm-orchestrator: - runs-on: ubuntu-latest - permissions: - actions: read - contents: read - security-events: write - packages: read - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Run Trivy vulnerability scanner - if: always() - uses: aquasecurity/trivy-action@0.28.0 - with: - # Path to Docker image - image-ref: "docker.io/tractusx/bpdm-orchestrator:latest" - format: "sarif" - output: "trivy-results4.sarif" - exit-code: "0" - severity: "CRITICAL,HIGH" - timeout: 15m - env: - TRIVY_USERNAME: ${{ github.actor }} - TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} + hide-progress: false + exit-code: "1" + limit-severities-for-sarif: true - name: Upload Trivy scan results to GitHub Security tab if: always() uses: github/codeql-action/upload-sarif@v3 with: - sarif_file: "trivy-results4.sarif" \ No newline at end of file + sarif_file: "trivy-${{ matrix.app }}-results.sarif" \ No newline at end of file