-
Notifications
You must be signed in to change notification settings - Fork 25
118 lines (102 loc) · 3.79 KB
/
trivyscan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
name: Trivy scan image for vulnerabilities
on:
workflow_dispatch:
pull_request:
branches:
- main
paths:
- 'environments/.stackhpc/terraform/cluster_image.auto.tfvars.json'
jobs:
scan:
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.build }} # to branch/PR + build
cancel-in-progress: true
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
build: ["RL8", "RL9"]
env:
JSON_PATH: environments/.stackhpc/terraform/cluster_image.auto.tfvars.json
OS_CLOUD: openstack
CI_CLOUD: ${{ vars.CI_CLOUD }}
steps:
- uses: actions/checkout@v2
- name: Record settings for CI cloud
run: |
echo CI_CLOUD: ${{ env.CI_CLOUD }}
- name: Setup ssh
run: |
set -x
mkdir ~/.ssh
echo "${{ secrets[format('{0}_SSH_KEY', env.CI_CLOUD)] }}" > ~/.ssh/id_rsa
chmod 0600 ~/.ssh/id_rsa
shell: bash
- name: Add bastion's ssh key to known_hosts
run: cat environments/.stackhpc/bastion_fingerprints >> ~/.ssh/known_hosts
shell: bash
- name: setup environment
run: |
python3 -m venv venv
. venv/bin/activate
pip install -U pip
pip install $(grep -o 'python-openstackclient[><=0-9\.]*' requirements.txt)
shell: bash
- name: Write clouds.yaml
run: |
mkdir -p ~/.config/openstack/
echo "${{ secrets[format('{0}_CLOUDS_YAML', env.CI_CLOUD)] }}" > ~/.config/openstack/clouds.yaml
shell: bash
- name: Parse image name json
id: manifest
run: |
IMAGE_NAME=$(jq --arg version "${{ matrix.build }}" -r '.cluster_image[$version]' "${{ env.JSON_PATH }}")
echo "image-name=${IMAGE_NAME}" >> "$GITHUB_OUTPUT"
- name: Download image
run: |
. venv/bin/activate
sudo mkdir /mnt/images
sudo chmod 777 /mnt/images
openstack image save --file /mnt/images/${{ steps.manifest.outputs.image-name }}.qcow2 ${{ steps.manifest.outputs.image-name }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: install libguestfs
run: |
sudo apt -y update
sudo apt -y install libguestfs-tools
- name: mkdir for mount
run: sudo mkdir -p './${{ steps.manifest.outputs.image-name }}'
- name: mount qcow2 file
run: sudo guestmount -a /mnt/images/${{ steps.manifest.outputs.image-name }}.qcow2 -i --ro -o allow_other './${{ steps.manifest.outputs.image-name }}'
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
scan-type: fs
scan-ref: "${{ steps.manifest.outputs.image-name }}"
scanners: "vuln"
format: sarif
output: "${{ steps.manifest.outputs.image-name }}.sarif"
# turn off secret scanning to speed things up
timeout: 15m
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TRIVY_DB_REPOSITORY: ghcr.io/azimuth-cloud/trivy-db:2
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "${{ steps.manifest.outputs.image-name }}.sarif"
category: "${{ matrix.build }}"
- name: Fail if scan has CRITICAL vulnerabilities
uses: aquasecurity/[email protected]
with:
scan-type: fs
scan-ref: "${{ steps.manifest.outputs.image-name }}"
scanners: "vuln"
format: table
exit-code: '1'
severity: 'CRITICAL'
ignore-unfixed: true
timeout: 15m
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TRIVY_DB_REPOSITORY: ghcr.io/azimuth-cloud/trivy-db:2