forked from wiremock/wiremock
-
Notifications
You must be signed in to change notification settings - Fork 33
122 lines (117 loc) · 4.01 KB
/
docker-image-scan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
name: Docker Image Scan
on:
workflow_dispatch:
schedule:
- cron: "0 0 * * *"
jobs:
scan:
name: DockerImageScan
runs-on: ubuntu-latest
outputs:
result: ${{ steps.trivy-result.outputs.result }}
version: ${{ steps.extract-version.outputs.version }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Extract latest release
id: extract-release
shell: bash
env:
GH_TOKEN: ${{ github.token }}
run: |
#!/bin/bash
release=$(gh release view --jq ".tag")
echo "$release"
echo "release=$release" >> "$GITHUB_OUTPUT"
- name: Extract version
id: extract-version
run: |
tag=${{ steps.extract-release.outputs.release }}
version=${tag%-*}
echo $version
echo "version=${version}" >> $GITHUB_OUTPUT
- id: trivy-db
name: Check trivy db sha
env:
GH_TOKEN: ${{ github.token }}
run: |
endpoint='/orgs/aquasecurity/packages/container/trivy-db/versions'
headers='Accept: application/vnd.github+json'
jqFilter='.[] | select(.metadata.container.tags[] | contains("latest")) | .name | sub("sha256:";"")'
sha=$(gh api -H "${headers}" "${endpoint}" | jq --raw-output "${jqFilter}")
echo "Trivy DB sha256:${sha}"
echo "sha=${sha}" >> $GITHUB_OUTPUT
- id: ignore-policies
name: Ignore some policies
run: |
cat > .trivyignore << EOL
# Ignore gosu issue. They say they are not affected. Issue will be removed as soon
# as wiremock image updates to a newer gosu version, which removed runc.
CVE-2023-27561
CVE-2024-21626
EOL
- uses: actions/cache@v4
with:
path: .trivy
key: ${{ runner.os }}-trivy-db-${{ steps.trivy-db.outputs.sha }}
- name: Run Trivy json result
uses: aquasecurity/[email protected]
with:
image-ref: 'docker.io/holomekc/wiremock-gui'
format: 'json'
exit-code: '0'
output: trivy-result.json
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
hide-progress: true
cache-dir: .trivy
- name: Run Trivy sarif result
uses: aquasecurity/[email protected]
with:
image-ref: 'docker.io/holomekc/wiremock-gui'
format: 'sarif'
exit-code: '0'
output: trivy-result.sarif
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
hide-progress: true
cache-dir: .trivy
- name: Run Trivy sbom result
uses: aquasecurity/[email protected]
with:
image-ref: 'docker.io/holomekc/wiremock-gui'
format: 'github'
exit-code: '0'
output: dependency-results.sbom.json
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
hide-progress: true
cache-dir: .trivy
github-pat: ${{ secrets.GITHUB_TOKEN }}
- name: Fix .trivy permissions
run: sudo chown -R $(stat . -c %u:%g) .trivy
- name: Check result
id: trivy-result
shell: bash
run: |
#!/bin/bash
cat trivy-result.json
jq -e 'select((.Results[].Vulnerabilities | length) > 0)' trivy-result.json && code=$? || code=$?
echo "result=${code}" >> $GITHUB_OUTPUT
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-result.sarif'
docker:
needs: [scan]
# Looks strange, but 0=Vulnerabilities found
if: ${{ needs.scan.outputs.result == 0 }}
uses: ./.github/workflows/docker-release.yml
with:
version: ${{ needs.scan.outputs.version }}
secrets:
dockerUsername: ${{ secrets.DOCKERHUB_USERNAME }}
dockerToken: ${{ secrets.DOCKERHUB_TOKEN }}