Container Security Scan #79
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright AGNTCY Contributors (https://github.com/agntcy) | |
| # SPDX-License-Identifier: Apache-2.0 | |
| --- | |
| name: Container Security Scan | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| - cron: "0 3 * * *" # Daily at 03:00 UTC | |
| permissions: | |
| contents: read | |
| security-events: write # for uploading SARIF | |
| actions: read | |
| issues: write # create issues for critical CVEs | |
| jobs: | |
| trivy-scan: | |
| name: Trivy Scan ${{ matrix.image }} | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| image: | |
| - dir-runtime-discovery | |
| - dir-runtime-server | |
| steps: | |
| - name: Scan image | |
| uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 | |
| with: | |
| image-ref: ghcr.io/agntcy/${{ matrix.image }}:latest | |
| github-pat: ${{ secrets.GITHUB_TOKEN }} | |
| format: sarif | |
| output: trivy-${{ matrix.image }}.sarif | |
| vuln-type: "os,library" | |
| severity: "CRITICAL,HIGH,MEDIUM" | |
| ignore-unfixed: true | |
| - name: Export image metadata | |
| run: echo "ghcr.io/agntcy/${{ matrix.image }}:latest" > trivy-${{ matrix.image }}.meta | |
| - name: Upload SARIF | |
| uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 | |
| with: | |
| sarif_file: trivy-${{ matrix.image }}.sarif | |
| category: trivy-${{ matrix.image }} | |
| - name: Upload report artifacts | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: trivy-report-${{ matrix.image }} | |
| path: | | |
| trivy-${{ matrix.image }}.sarif | |
| trivy-${{ matrix.image }}.meta | |
| retention-days: 7 | |
| summarize: | |
| name: Summarize Results | |
| needs: [trivy-scan] | |
| runs-on: ubuntu-latest | |
| if: always() | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| - name: Download artifacts | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| pattern: trivy-report-* | |
| path: trivy-artifacts | |
| - name: Generate summary | |
| run: | | |
| chmod +x .github/workflows/scripts/security/generate_trivy_summary.sh | |
| .github/workflows/scripts/security/generate_trivy_summary.sh | |
| - name: Fail if critical vulns found (optional gate) | |
| if: ${{ github.event_name != 'pull_request' }} | |
| run: | | |
| set -e | |
| found=$(grep -R "CRITICAL" -c trivy-artifacts || true) | |
| if [ "${found}" != "0" ]; then | |
| echo "Critical vulnerabilities detected. (Gate currently informational.)" >&2 | |
| fi | |
| - name: Create GitHub issues for critical CVEs | |
| if: ${{ github.event_name != 'pull_request' }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITHUB_REPOSITORY: ${{ github.repository }} | |
| run: | | |
| set -euo pipefail | |
| echo "Installing dependencies for issue creation script"; | |
| npm init -y >/dev/null 2>&1 || true | |
| npm install @octokit/rest@21 glob >/dev/null 2>&1 | |
| node .github/workflows/scripts/security/create_critical_cve_issues.js |