Skip to content

Commit

Permalink
Merge pull request #1004 from Automattic/optional-scan
Browse files Browse the repository at this point in the history
ci: add an option to disable image scan
  • Loading branch information
sjinks authored Dec 8, 2024
2 parents 87d0240 + 9697ab2 commit 69a9906
Show file tree
Hide file tree
Showing 4 changed files with 20 additions and 6 deletions.
23 changes: 17 additions & 6 deletions .github/actions/build-docker-image/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,10 @@ inputs:
description: The token to authenticate with GitHub
required: false
default: ${{ github.token }}
scan:
description: Whether to scan the image
required: false
default: 'true'
runs:
using: composite
steps:
Expand Down Expand Up @@ -134,12 +138,14 @@ runs:
- name: Create cache directory
shell: bash
run: mkdir -p .cache/trivy/db
if: inputs.scan == 'true'

- name: Restore Trivy database
uses: actions/cache/[email protected]
with:
path: .cache/trivy/db
key: trivy
if: inputs.scan == 'true'

- name: Calculate database hash
shell: bash
Expand All @@ -150,11 +156,13 @@ runs:
else
echo "hash=" >> "${GITHUB_OUTPUT}"
fi
if: inputs.scan == 'true'

- name: Get Docker socket
id: socket
run: echo docker_socket="$(docker context ls --format json | jq -r 'select(.Current == true) | .DockerEndpoint' | sed 's!^unix://!!')" >> "${GITHUB_OUTPUT}"
shell: bash
if: inputs.scan == 'true'

- name: Security Scan
shell: bash
Expand All @@ -166,6 +174,7 @@ runs:
-w /workdir \
aquasec/trivy:0.57.1 image --format json --ignore-unfixed --pkg-types os --scanners vuln --db-repository ghcr.io/aquasecurity/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2 ${{ inputs.primaryTag }} --output trivy.json
sudo chmod a+r -R .cache
if: inputs.scan == 'true'

- name: Calculate database hash
shell: bash
Expand All @@ -176,45 +185,47 @@ runs:
else
echo "hash=" >> "${GITHUB_OUTPUT}"
fi
if: inputs.scan == 'true'

- name: Cache Trivy database
uses: actions/cache/[email protected]
with:
path: .cache/trivy/db
key: trivy
if: steps.old_hash.outputs.hash != steps.new_hash.outputs.hash && steps.new_hash.outputs.hash != ''
if: inputs.scan == 'true' && steps.old_hash.outputs.hash != steps.new_hash.outputs.hash && steps.new_hash.outputs.hash != ''

- name: Print report
uses: docker://aquasec/trivy:0.57.1
with:
args: convert --format=table trivy.json
if: inputs.scan == 'true'

- name: Generate SARIF
uses: docker://aquasec/trivy:0.57.1
with:
args: convert --format=sarif --output=${{ steps.filename.outputs.filename }} trivy.json
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
if: inputs.scan == 'true' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name)

- name: Upload SARIF
uses: github/codeql-action/[email protected]
with:
sarif_file: ${{ steps.filename.outputs.filename }}
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
if: inputs.scan == 'true' && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name)
continue-on-error: true

- name: Prepare markdown report
uses: docker://aquasec/trivy:0.57.1
with:
args: convert --format=template [email protected]/actions/build-docker-image/markdown.tpl --output=trivy.md trivy.json
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
if: inputs.scan == 'true' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name

- name: Find Trivy Scan Report comment
uses: peter-evans/find-comment@v3
id: fc
with:
issue-number: ${{ github.event.pull_request.number }}
body-includes: ${{ inputs.primaryTag }}
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
if: inputs.scan == 'true' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name

- name: Create or update comment
uses: peter-evans/create-or-update-comment@v4
Expand All @@ -223,4 +234,4 @@ runs:
issue-number: ${{ github.event.pull_request.number }}
body-path: trivy.md
edit-mode: replace
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
if: inputs.scan == 'true' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name
1 change: 1 addition & 0 deletions .github/workflows/dev-tools.yml
Original file line number Diff line number Diff line change
Expand Up @@ -47,3 +47,4 @@ jobs:
cache-to: type=gha,mode=max,scope=dev-tools
primaryTag: ghcr.io/automattic/vip-container-images/dev-tools:0.9
tags: ghcr.io/automattic/vip-container-images/dev-tools:0.9
scan: false
1 change: 1 addition & 0 deletions .github/workflows/helpers.yml
Original file line number Diff line number Diff line change
Expand Up @@ -46,3 +46,4 @@ jobs:
cache-to: type=gha,mode=max,scope=helpers
no-cache: ${{ github.event_name == 'workflow_dispatch' }}
primaryTag: ghcr.io/automattic/vip-container-images/helpers:v1
scan: false
1 change: 1 addition & 0 deletions .github/workflows/skeleton.yml
Original file line number Diff line number Diff line change
Expand Up @@ -43,3 +43,4 @@ jobs:
context: skeleton
push: ${{ github.base_ref == null }}
primaryTag: ghcr.io/automattic/vip-container-images/skeleton:latest
scan: false

0 comments on commit 69a9906

Please sign in to comment.