Skip to content

Container Security Scan #79

Container Security Scan

Container Security Scan #79

# Copyright AGNTCY Contributors (https://github.com/agntcy)
# SPDX-License-Identifier: Apache-2.0
---
name: Container Security Scan
on:
workflow_dispatch:
schedule:
- cron: "0 3 * * *" # Daily at 03:00 UTC
permissions:
contents: read
security-events: write # for uploading SARIF
actions: read
issues: write # create issues for critical CVEs
jobs:
trivy-scan:
name: Trivy Scan ${{ matrix.image }}
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
image:
- dir-runtime-discovery
- dir-runtime-server
steps:
- name: Scan image
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
with:
image-ref: ghcr.io/agntcy/${{ matrix.image }}:latest
github-pat: ${{ secrets.GITHUB_TOKEN }}
format: sarif
output: trivy-${{ matrix.image }}.sarif
vuln-type: "os,library"
severity: "CRITICAL,HIGH,MEDIUM"
ignore-unfixed: true
- name: Export image metadata
run: echo "ghcr.io/agntcy/${{ matrix.image }}:latest" > trivy-${{ matrix.image }}.meta
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
sarif_file: trivy-${{ matrix.image }}.sarif
category: trivy-${{ matrix.image }}
- name: Upload report artifacts
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: trivy-report-${{ matrix.image }}
path: |
trivy-${{ matrix.image }}.sarif
trivy-${{ matrix.image }}.meta
retention-days: 7
summarize:
name: Summarize Results
needs: [trivy-scan]
runs-on: ubuntu-latest
if: always()
steps:
- name: Checkout
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- name: Download artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: trivy-report-*
path: trivy-artifacts
- name: Generate summary
run: |
chmod +x .github/workflows/scripts/security/generate_trivy_summary.sh
.github/workflows/scripts/security/generate_trivy_summary.sh
- name: Fail if critical vulns found (optional gate)
if: ${{ github.event_name != 'pull_request' }}
run: |
set -e
found=$(grep -R "CRITICAL" -c trivy-artifacts || true)
if [ "${found}" != "0" ]; then
echo "Critical vulnerabilities detected. (Gate currently informational.)" >&2
fi
- name: Create GitHub issues for critical CVEs
if: ${{ github.event_name != 'pull_request' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_REPOSITORY: ${{ github.repository }}
run: |
set -euo pipefail
echo "Installing dependencies for issue creation script";
npm init -y >/dev/null 2>&1 || true
npm install @octokit/rest@21 glob >/dev/null 2>&1
node .github/workflows/scripts/security/create_critical_cve_issues.js