mcp/.github/workflows/trivy.yml at 5cba1d57264c997aeaa0bf66cfcd2ac2667ba170 · awslabs/mcp · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

name: trivy

on:
  push:
    branches: [ "main" ]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [ "main" ]
  schedule:
    - cron: '43 16 * * 1'

permissions: {}

jobs:
  detect-dockerfiles:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    outputs:
      dockerfiles: ${{ steps.find-dockerfiles.outputs.dockerfiles }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Find Dockerfiles
        id: find-dockerfiles
        run: |
          DOCKERFILES=$(find . -name Dockerfile -exec dirname {} \; | sed 's/^\.\///' | jq -R -s -c 'split("\n")[:-1]')
          echo "dockerfiles=$DOCKERFILES" >> $GITHUB_OUTPUT

  build:
    needs: [detect-dockerfiles]
    if: ${{ needs.detect-dockerfiles.outputs.dockerfiles != '[]' && needs.detect-dockerfiles.outputs.dockerfiles != '' }}
    strategy:
      fail-fast: false
      matrix:
        dockerfile: ${{ fromJson(needs.detect-dockerfiles.outputs.dockerfiles) }}
    name: Build ${{ matrix.dockerfile }}
    permissions:
      contents: read
      security-events: write
    runs-on: ubuntu-latest
    steps:
      - name: Clear Up Space (Agressively) for Trivy Scans that Run Out of Space
        if: contains(toJson('["src/core-mcp-server"]'), matrix.dockerfile)
        uses: awslabs/mcp/.github/actions/clear-space-ubuntu-latest-agressively@11841059cfcc830c367325450a1898ebffef6e01

      - name: Get Checkout Depth
        id: checkout-depth
        run: |
          # Fetch depth the number of commits in the PR and otherwise 1
          echo "fetch-depth=$(( ${{ (github.event_name == 'pull_request' && github.event.pull_request.commits) || 0 }} + 1 ))" >> "${GITHUB_OUTPUT}"
          echo "image-name=$( echo "${{ matrix.dockerfile}}" | sed 's|^/||; s|^[^/]*/||; s|/Dockerfile$||; s|/|_|g' | head -c128 )" >> "${GITHUB_OUTPUT}"

      - name: Checkout code
        id: checkout-code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          lfs: true
          fetch-depth: ${{ steps.checkout-depth.outputs.fetch-depth || '1' }}
          sparse-checkout: |
            trivy.yaml
            .vex
            ${{ matrix.dockerfile }}

      - name: If trivy-results.sarif exists, it must be part of the PR changes
        if: github.event_name == 'pull_request' && hashFiles(format('{0}/trivy-results.sarif', matrix.dockerfile)) != ''
        id: check-sarif-in-pr
        run: |
          # Check if trivy-results.sarif is in the PR changes

          if git diff --name-only ${{ github.event.pull_request.base.sha }}..${{ steps.checkout-code.outputs.commit }} | grep -q "${{ matrix.dockerfile }}/trivy-results.sarif"; then
            echo "${{ matrix.dockerfile }}/trivy-results.sarif is in the PR changes"
            echo "sarif-in-pr=true" >> $GITHUB_OUTPUT
            echo "::group::Here is the SARIF file before LFS pull"
            cat "${{ matrix.dockerfile }}/trivy-results.sarif"
            echo "::endgroup::"
          else
            echo "Either remove the ${{ matrix.dockerfile }}/trivy-results.sarif or include a fresh one in the PR"
            echo "sarif-in-pr=false" >> $GITHUB_OUTPUT
            exit 1
          fi

      - name: Build an image from Dockerfile
        working-directory: ${{ matrix.dockerfile }}
        run: |
          docker build -t docker.io/${{ matrix.dockerfile }}:${{ github.sha }} .

      - name: Save an image
        working-directory: ${{ matrix.dockerfile }}
        run: |
          docker image save -o "${{ runner.temp }}/image.tar" docker.io/${{ matrix.dockerfile }}:${{ github.sha }}

      - name: Upload digest
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: image-${{ steps.checkout-depth.outputs.image-name }}
          path: ${{ runner.temp }}/image.tar
          if-no-files-found: error
          retention-days: 1

      - name: Generate Container Software Bill of Materials and Vulnerabilities
        run: |
          curl -sSfL https://raw.githubusercontent.com/anchore/syft/e9e34948534ab945c7e750376235cfe0c442f532/install.sh | sh -s -- -b /usr/local/bin v1.39.0
          curl -sSfL https://raw.githubusercontent.com/anchore/grype/43e7e3246ed01b1ec0ff54f9b054201ccbe78e3a/install.sh | sh -s -- -b /usr/local/bin v0.104.3
          syft scan "${{ runner.temp }}/image.tar" -o json > "${{ matrix.dockerfile }}/syft-results.json"
          cat "${{ matrix.dockerfile }}/syft-results.json" | grype | tee "${{ matrix.dockerfile }}/grype.txt"
          syft convert "${{ matrix.dockerfile }}/syft-results.json" -o cyclonedx-json > "${{ matrix.dockerfile }}/cyclonedx.json"
          docker run --rm -v $(pwd):/data cyclonedx/cyclonedx-cli convert \
            --input-file /data/${{ matrix.dockerfile }}/cyclonedx.json \
            --input-format json \
            --output-file /data/${{ matrix.dockerfile }}/sbom.csv \
            --output-format csv
          cat ${{ matrix.dockerfile }}/sbom.csv

      - name: Delete the exported image
        run: |
          rm -r -f "${{ runner.temp }}/image.tar"

      - name: Run Trivy vulnerability scanner
        if: hashFiles(format('{0}/trivy-results.sarif', matrix.dockerfile)) == ''
        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 #v0.34.2
        with:
          image-ref: 'docker.io/${{ matrix.dockerfile }}:${{ github.sha }}'
          format: 'sarif'
          output: '${{ matrix.dockerfile }}/trivy-results.sarif'

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@c0fc915677567258ee3c194d03ffe7ae3dc8d741 # v4.31.9
        with:
          sarif_file: '${{ matrix.dockerfile }}/trivy-results.sarif'

      - name: Upload results
        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: trivy-results-${{ steps.checkout-depth.outputs.image-name }}
          path: |
            ${{ matrix.dockerfile }}/trivy-results.sarif
            ${{ matrix.dockerfile }}/syft-results.json
            ${{ matrix.dockerfile }}/sbom.csv
            ${{ matrix.dockerfile }}/grype.txt
            ${{ matrix.dockerfile }}/cyclonedx.json
          if-no-files-found: error
          retention-days: 1