Trivy Security Scan #389
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Trivy Security Scan | |
on: | |
workflow_dispatch: | |
schedule: | |
- cron: 0 0 * * * # daily at midnight | |
workflow_call: | |
inputs: | |
image-ref: | |
type: string | |
required: false | |
description: Container Ref to be scanned by Trivy | |
env: | |
DOCKER_BUILDKIT: 1 | |
COSIGN_EXPERIMENTAL: 1 | |
jobs: | |
trivy-repo: | |
name: Scan repository | |
runs-on: ubuntu-latest | |
permissions: | |
security-events: write # upload security results | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Get main branch SHA | |
run: | | |
git pull origin main:main | |
echo "BASE_SHA=$(git merge-base --fork-point main)" | tee -a $GITHUB_ENV | |
- name: Scan repo filesystem | |
uses: aquasecurity/[email protected] | |
with: | |
scan-type: fs | |
format: sarif | |
output: trivy-results.sarif | |
- name: Upload scan results to GitHub Security | |
uses: github/codeql-action/upload-sarif@v2 | |
if: always() | |
with: | |
sarif_file: trivy-results.sarif | |
ref: refs/heads/main | |
sha: ${{ env.BASE_SHA }} | |
trivy-docker: | |
name: Scan container image | |
runs-on: ubuntu-latest | |
permissions: | |
security-events: write # upload security results | |
steps: | |
- name: Checkout repo | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Get main branch SHA | |
run: | | |
git pull origin main:main | |
echo "BASE_SHA=$(git merge-base --fork-point main)" | tee -a $GITHUB_ENV | |
- name: Install Cosign | |
uses: sigstore/[email protected] | |
- name: Generate docker-compliant image name | |
run: | | |
if [[ -z "$IMAGE_REF" ]]; then | |
echo "IMAGE_REF=$(echo ${GITHUB_REPOSITORY,,} | sed 's/docker-//'):latest" | tee -a $GITHUB_ENV | |
else | |
echo "IMAGE_REF=$IMAGE_REF" | tee -a $GITHUB_ENV | |
fi | |
env: | |
IMAGE_REF: ${{ inputs.image-ref }} | |
- name: Verify container images | |
run: | | |
cosign verify \ | |
--certificate-oidc-issuer https://token.actions.githubusercontent.com \ | |
--certificate-identity-regexp https://github.com/$GITHUB_REPOSITORY/.github/workflows/ \ | |
$IMAGE_REF | |
- name: Scan container image | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: ${{ env.IMAGE_REF }} | |
format: sarif | |
output: trivy-results.sarif | |
- name: Upload scan results to GitHub Security | |
uses: github/codeql-action/upload-sarif@v2 | |
if: always() | |
with: | |
sarif_file: trivy-results.sarif | |
ref: refs/heads/main | |
sha: ${{ env.BASE_SHA }} |