-
-
Notifications
You must be signed in to change notification settings - Fork 7
134 lines (110 loc) · 4.41 KB
/
container-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: container-scan
on:
schedule:
- cron: '0 2 * * *'
workflow_dispatch:
permissions: {}
env:
FORCE_COLOR: 3
TERM: xterm
jobs:
scan-image:
runs-on: ubuntu-latest
if: github.event.repository.fork == false
concurrency:
group: ${{ github.workflow }}
cancel-in-progress: false
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
filter: 'tree:0'
show-progress: false
- name: Configure Trivy
id: configure
shell: pwsh
run: |
$registry = "${env:GITHUB_REPOSITORY_OWNER}.azurecr.io"
$image = "${registry}/${env:GITHUB_REPOSITORY}:latest".ToLowerInvariant()
"container-image=${image}" >> ${env:GITHUB_OUTPUT}
- name: Run Trivy (SARIF)
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
TRIVY_USERNAME: ${{ secrets.TRIVY_USERNAME }}
TRIVY_PASSWORD: ${{ secrets.TRIVY_PASSWORD }}
with:
format: sarif
ignore-unfixed: true
image-ref: ${{ steps.configure.outputs.container-image }}
limit-severities-for-sarif: true
output: trivy.sarif
severity: CRITICAL,HIGH
- name: Upload Trivy scan results
uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
if: ${{ !cancelled() }}
with:
sarif_file: trivy.sarif
- name: Run Trivy (JSON)
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
TRIVY_USERNAME: ${{ secrets.TRIVY_USERNAME }}
TRIVY_PASSWORD: ${{ secrets.TRIVY_PASSWORD }}
with:
format: json
ignore-unfixed: true
image-ref: ${{ steps.configure.outputs.container-image }}
output: trivy.json
severity: CRITICAL,HIGH
- name: Check for vulnerabilities
id: check-for-vulnerabilities
shell: pwsh
run: |
$report = Get-Content ./trivy.json | Out-String | ConvertFrom-Json
$vulnerabilities = @()
$hasVulnerabilities = $false
foreach ($target in $report.Results) {
foreach ($vulnerability in $target.Vulnerabilities) {
$vulnerabilities += $vulnerability
# Ignore vulnerabilities in the .NET application itself as a rebuild of the container won't fix these
if ($target.Type -ne "dotnet-core") {
$hasVulnerabilities = $true
}
}
}
"has-vulnerabilities=${hasVulnerabilities}".ToLowerInvariant() >> ${env:GITHUB_OUTPUT}
$report = @(
"# Container Image Vulnerability Report",
""
)
if ($vulnerabilities.Length -eq 0) {
$report += ":closed_lock_with_key: No vulnerabilities found."
} else {
$report += "| Library | Vulnerability | Severity | Status | Installed Version | Fixed Version | Title |"
$report += "|:--------|:--------------|:---------|:-------|:------------------|:--------------|:------|"
foreach ($vulnerability in $vulnerabilities) {
$title = $vulnerability.Title
if ([string]::IsNullOrEmpty($title)) {
$title = $vulnerability.Description
}
$fixedVersion = $vulnerability.FixedVersion
if ([string]::IsNullOrEmpty($fixedVersion)) {
$fixedVersion = "N/A"
}
$report += "| $($vulnerability.PkgName) | $($vulnerability.VulnerabilityID) | $($vulnerability.Severity) | $($vulnerability.Status) | $($vulnerability.InstalledVersion) | ${fixedVersion} | [${title}]($($vulnerability.PrimaryURL)) |"
}
}
$report += ""
$report += ""
($report -Join "`n") >> ${env:GITHUB_STEP_SUMMARY}
- name: Rebuild if any vulnerabilities found
if: |
github.event_name == 'schedule' &&
steps.check-for-vulnerabilities.outputs.has-vulnerabilities == 'true'
env:
GH_TOKEN: ${{ secrets.COSTELLOBOT_TOKEN }}
run: gh workflow run build.yml