Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create trivy-all-slack.yml #94

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 56 additions & 28 deletions .github/workflows/trivy-all.yml
Original file line number Diff line number Diff line change
@@ -1,15 +1,12 @@
name: Trivy Analysis (indy_node:latest)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are you removing the name?

suggestion: keep


on:
schedule:
# run every Wednesday at 23:20
- cron: '20 23 * * 3'
workflow_dispatch:


jobs:
workflow_setup:
name: Setup variables
name: Setup variables
runs-on: ubuntu-latest
outputs:
repo_owner: ${{ steps.repo_owner.outputs.lowercase }}
Expand All @@ -19,7 +16,7 @@ jobs:
id: repo_owner
run: echo "::set-output name=lowercase::$(echo ${{ github.repository_owner }} | tr \"[:upper:]\" \"[:lower:]\")"
shell: bash

trivy_analysis:
name: Trivy Analysis of Indy Node Images
runs-on: "ubuntu-20.04"
Expand All @@ -30,30 +27,61 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v2

- name: Run Trivy on indy_node:${{ matrix.os_version }}
- name: Run Trivy vulnerability scanner for Slack messages on indy_node:${{ matrix.os_version }}
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/${{ needs.workflow_setup.outputs.repo_owner }}/indy-node-container/indy_node:latest-${{ matrix.os_version }}'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-indy-node-${{ matrix.os_version }}.sarif'
#image-ref: 'ghcr.io/idunion/indy-node-container/indy_node:latest-ubuntu18'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove commented lines

Suggested change
#image-ref: 'ghcr.io/idunion/indy-node-container/indy_node:latest-ubuntu18'

image-ref: 'ghcr.io/zickau/indy_node:latest-${{ matrix.os_version }}'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@zickau please run the scan on the images in the HL repo, i.e.

Suggested change
image-ref: 'ghcr.io/zickau/indy_node:latest-${{ matrix.os_version }}'
image-ref: 'ghcr.io/${{ needs.workflow_setup.outputs.repo_owner }}/indy-node-container/indy_node:latest-${{ matrix.os_version }}'

scan-type: 'image'
severity: 'HIGH,CRITICAL'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'

- name: Patch tool name for ${{ matrix.os_version }} scan
run: |
sed -i 's/"name": "Trivy",/"name": "Trivy${{ matrix.os_version }}Latest",/g' trivy-indy-node-${{ matrix.os_version }}.sarif

- name: 'Safe trivy-indy-node-${{ matrix.os_version }}.sarif'
uses: actions/upload-artifact@v2
format: json
#output: 'results.json'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove commented lines

Suggested change
#output: 'results.json'

output: 'trivy-indy-node-${{ matrix.os_version }}.json'
# Ignoring the go.sum file as it may contain the older dependencies entries which are not being used now.
skip-dirs: 'go.sum'
- name: Read file contents
id: read_file
uses: andstor/[email protected]
with:
name: trivy-indy-node-${{ matrix.os_version }}.sarif
path: trivy-indy-node-${{ matrix.os_version }}.sarif
retention-days: 8

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
path: "trivy-indy-node-${{ matrix.os_version }}.json"
- name: Create Issues Summary
run: |
summary1=$(grep -o '"VulnerabilityID": "[^"]*' trivy-indy-node-${{ matrix.os_version }}.json | grep -o '[^"]*$' | tr '\n' ',')
summary2=$(echo $summary1 | sed 's/.$//')
if [ -z $summary1 ]
then
summary2="0 Issues"
fi
echo "SUMMARY=$summary2" >> $GITHUB_ENV
- name: Send custom JSON data to Slack workflow
id: slack
uses: slackapi/[email protected]
with:
sarif_file: 'trivy-indy-node-${{ matrix.os_version }}.sarif'

payload: |
{
"text": "CVE found: ",
"blocks": [
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "*CVEs (HIGH,CRITICAL)* found in indy_node_container:${{ matrix.os_version }}: "
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": "${{ env.SUMMARY }}"
}
}
]
}
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_IDU }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK