diff --git a/.github/actions/build-docker-image/action.yml b/.github/actions/build-docker-image/action.yml index 77a21911..dcda92ea 100644 --- a/.github/actions/build-docker-image/action.yml +++ b/.github/actions/build-docker-image/action.yml @@ -90,20 +90,34 @@ runs: build-args: ${{ inputs.args }} - name: Security Scan - uses: aquasecurity/trivy-action@master + uses: ./.github/actions/trivy with: - image-ref: ${{ inputs.primaryTag }} - format: template - template: "@.github/actions/build-docker-image/markdown.tpl" - output: trivy.md - if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name + args: image --format json ${{ inputs.primaryTag }} --output trivy.json - - name: Security Scan - uses: aquasecurity/trivy-action@master + - name: Print report + uses: ./.github/actions/trivy with: - image-ref: ${{ inputs.primaryTag }} - format: table - if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name + args: convert --format=table trivy.json + + - name: Generate SARIF + uses: ./.github/actions/trivy + with: + args: convert --format=sarif --output=trivy.sarif trivy.json + if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name + + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@v2.22.5 + with: + sarif_file: trivy.sarif + category: trivy + if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name + continue-on-error: true + + - name: Prepare markdown report + uses: ./.github/actions/trivy + with: + args: convert --format=template --template=@.github/actions/build-docker-image/markdown.tpl --output=trivy.md trivy.json + if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name - name: Find Trivy Scan Report comment uses: peter-evans/find-comment@v2 diff --git a/.github/actions/build-docker-image/markdown.tpl b/.github/actions/build-docker-image/markdown.tpl index b7e1c954..e61bda2d 100644 --- a/.github/actions/build-docker-image/markdown.tpl +++ b/.github/actions/build-docker-image/markdown.tpl @@ -2,7 +2,6 @@ {{- if . }} {{- range . }} ## {{ .Target }} -### Vulnerabilities {{- if (eq (len .Vulnerabilities) 0) }} No vulnerabilities found. {{- else }} @@ -14,18 +13,6 @@ No vulnerabilities found. {{- end }} -### Misconfigurations -{{- if (eq (len .Misconfigurations ) 0) }} -No misconfigurations found. -{{- else }} -| Type | Misconfiguration ID | Check | Severity | Message | -| ---- | ------------------- | ----- | -------- | ------- | -{{- range .Misconfigurations }} -| {{ .Type }} | {{ .ID }} | {{ .Title }} | {{ .Severity }} | {{ .Message }}
{{ .PrimaryURL }} | -{{- end }} - -{{- end }} - {{- end }} {{- else }} diff --git a/.github/actions/trivy/action.yml b/.github/actions/trivy/action.yml new file mode 100644 index 00000000..5cd5270f --- /dev/null +++ b/.github/actions/trivy/action.yml @@ -0,0 +1,5 @@ +name: Trivy Scan +description: Scan for vulnerabilities using Trivy +runs: + using: docker + image: docker://aquasec/trivy:0.46.1 diff --git a/.github/workflows/alpine.yml b/.github/workflows/alpine.yml index 195ec616..f58c7aa6 100644 --- a/.github/workflows/alpine.yml +++ b/.github/workflows/alpine.yml @@ -30,6 +30,7 @@ jobs: packages: write contents: read pull-requests: write + security-events: write steps: - name: Check out the repo uses: actions/checkout@v4 diff --git a/.github/workflows/build-skeleton.yml b/.github/workflows/build-skeleton.yml index 8e5d478f..2d72c428 100644 --- a/.github/workflows/build-skeleton.yml +++ b/.github/workflows/build-skeleton.yml @@ -16,29 +16,14 @@ jobs: permissions: packages: write contents: read + security-events: write steps: - name: Check out the repo uses: actions/checkout@v4 - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Log in to GitHub Docker Registry - uses: docker/login-action@v3 - with: - registry: https://ghcr.io - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Build container image - uses: docker/build-push-action@v5 + - name: Build and push image + uses: ./.github/actions/build-docker-image with: context: skeleton - file: skeleton/Dockerfile - platforms: linux/amd64,linux/arm64 push: true - tags: | - ghcr.io/automattic/vip-container-images/skeleton:latest + primaryTag: ghcr.io/automattic/vip-container-images/skeleton:latest diff --git a/.github/workflows/dev-tools.yml b/.github/workflows/dev-tools.yml index 0f1bede3..9f3ab358 100644 --- a/.github/workflows/dev-tools.yml +++ b/.github/workflows/dev-tools.yml @@ -30,6 +30,7 @@ jobs: packages: write contents: read pull-requests: write + security-events: write steps: - name: Check out the repo uses: actions/checkout@v4 diff --git a/.github/workflows/mu-plugins.yml b/.github/workflows/mu-plugins.yml index 2c42b3c9..d1e07248 100644 --- a/.github/workflows/mu-plugins.yml +++ b/.github/workflows/mu-plugins.yml @@ -33,6 +33,7 @@ jobs: packages: write contents: read pull-requests: write + security-events: write steps: - name: Check out the repo uses: actions/checkout@v4 diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml index b9dd69b3..560c9e5c 100644 --- a/.github/workflows/nginx.yml +++ b/.github/workflows/nginx.yml @@ -30,6 +30,7 @@ jobs: packages: write contents: read pull-requests: write + security-events: write steps: - name: Check out the repo uses: actions/checkout@v4 diff --git a/.github/workflows/photon.yml b/.github/workflows/photon.yml index 0c3a7bf0..82a825cb 100644 --- a/.github/workflows/photon.yml +++ b/.github/workflows/photon.yml @@ -30,6 +30,7 @@ jobs: packages: write contents: read pull-requests: write + security-events: write steps: - name: Check out the repo uses: actions/checkout@v4 diff --git a/.github/workflows/php-fpm.yml b/.github/workflows/php-fpm.yml index 03474433..42391e93 100644 --- a/.github/workflows/php-fpm.yml +++ b/.github/workflows/php-fpm.yml @@ -30,6 +30,7 @@ jobs: packages: write contents: read pull-requests: write + security-events: write strategy: fail-fast: false matrix: diff --git a/.github/workflows/skeleton.yml b/.github/workflows/skeleton.yml index b0477589..b076e9d7 100644 --- a/.github/workflows/skeleton.yml +++ b/.github/workflows/skeleton.yml @@ -30,6 +30,7 @@ jobs: packages: write contents: read pull-requests: write + security-events: write steps: - name: Check out the repo uses: actions/checkout@v4 diff --git a/.github/workflows/traefik.yml b/.github/workflows/traefik.yml index 8dd716a4..8d0b284d 100644 --- a/.github/workflows/traefik.yml +++ b/.github/workflows/traefik.yml @@ -30,6 +30,7 @@ jobs: packages: write contents: read pull-requests: write + security-events: write steps: - name: Check out the repo uses: actions/checkout@v4 diff --git a/.github/workflows/wordpress.yml b/.github/workflows/wordpress.yml index 3e58735c..7d6962b8 100644 --- a/.github/workflows/wordpress.yml +++ b/.github/workflows/wordpress.yml @@ -47,6 +47,7 @@ jobs: contents: read packages: write pull-requests: write + security-events: write strategy: fail-fast: false matrix: